Selective blocking of password authentication

Frank Cusack fcusack at fcusack.com
Tue Oct 29 19:47:46 EST 2002


On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote:
> I'm running OpenSSH 3.4 and have the situation that some users want to 
> allow password authentication into their accounts and some explicitly
> want to disallow password authentication. Is this possible? I wasn't 
> able to come up with a way looking through ssh_config and sshd_config,
> as well as some FAQs. 
> 
> It seems the problem is that there is no scoping of directives in sshd_config,
> thus PasswordAuthentication is global for all users. Alternatively it seems
> like sshd should be able to check some file ~/.ssh/sshd_config for such an
> option.

If you're using PAM, and you are willing to do some admin for each user
(rather than self-admin), you can use a PAM module which reads a file
containing a list of users that cannot login.  The overhead is you
have to add users to that list, although you could script this easily
(for user in /home/*; do cd $user; if -f .ssh_nopwlogin; then addtolist;
 fi; done).  I think Linux-PAM ships with pam_listfile.so to do this.

Users doing pubkey auth will still be able to login.

If you're not willing to do the admin piece, then you can just lock
those users accounts, this typically prefaces their crypted passwd
entry with '!' thereby disabling password auth.  However, this will
break as PAM modules are fixed to check this in the account module.
(Since the pubkey path correctly still does a PAM 'account' check.)

I think Solaris 9 has this fixed, for one.

The first solution is the better of the two, IMHO.  Other solutions
(non-PAM) will depend on your OS.

/fc



More information about the openssh-unix-dev mailing list