On Sun, 2007-01-14 at 14:36 +0100, Adrian von Bidder wrote: > On Thursday 11 January 2007 20:15, Michel Messerschmidt wrote: > > On Thu, Jan 11, 2007 at 06:55:33PM +0100, Adrian von Bidder wrote: > > > Anybody has an idea if and how this is possible? The obvious but ugly > > > solution would be to run a second sshd on a different port, but I'd > > > rather avoid that. > > > > If I understand this correctly, it's not a matter of public key or > > password authentication but rather to give shell access to only one > > user. > > Wrong. > > I have users a, b, c, d, e. All users except e can have shell access, but > beecause shell access is powerful, must not be able to log in with > password, but only with public key. User e is allowed to log in with > password and is restricted by rssh to only use scp, sftp or rsync so that > even if that password is stolen/guessed, the attacker can at most deface > the hosted web site in e's directory.
You could set the passwords for a, b, c, and d to some invalid hash in /etc/passwd, so no password will actually work, but public keys do work. Like ubuntu does with 'root' in the default install. For (old) ftp connections, I used to set the user's shell to something that's not in /etc/shells. I haven't tried with scp, but I think scp needs a valid shell. Maybe you can set user e's shell to rbash(1). > Judging from the replies I've received so far I'll just end up running a 2nd > sshd on port 2222 or wherever. > > cheers > -- vbi > > Regards, Berend -- Confidentiality notice: http://ucs.co.za/conf.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
