Selective blocking of password authentication

David Grimes grimes at cs.washington.edu
Tue Oct 29 21:00:21 EST 2002


>On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote:
>> I'm running OpenSSH 3.4 and have the situation that some users want to 
>> allow password authentication into their accounts and some explicitly
>> want to disallow password authentication. Is this possible? I wasn't 
>> able to come up with a way looking through ssh_config and sshd_config,
>> as well as some FAQs. 
>> 
>> It seems the problem is that there is no scoping of directives in sshd_config,
>> thus PasswordAuthentication is global for all users. Alternatively it seems
>> like sshd should be able to check some file ~/.ssh/sshd_config for such an
>> option.
>
>If you're using PAM, and you are willing to do some admin for each user
>(rather than self-admin), you can use a PAM module which reads a file
>containing a list of users that cannot login.  The overhead is you
>have to add users to that list, although you could script this easily
>(for user in /home/*; do cd $user; if -f .ssh_nopwlogin; then addtolist;
> fi; done).  I think Linux-PAM ships with pam_listfile.so to do this.
>
>Users doing pubkey auth will still be able to login.
>
>If you're not willing to do the admin piece, then you can just lock
>those users accounts, this typically prefaces their crypted passwd
>entry with '!' thereby disabling password auth.  However, this will
>break as PAM modules are fixed to check this in the account module.
>(Since the pubkey path correctly still does a PAM 'account' check.)
>
>I think Solaris 9 has this fixed, for one.
>
>The first solution is the better of the two, IMHO.  Other solutions
>(non-PAM) will depend on your OS.
>
>/fc

Thanks, that sounds like it might be do-able with PAM. The only problem
is that some users would like to be able to physically log into the machines
as well. I'm not sure if PAM would be able to differentiate between login
and sshd. I'll look into this though...

Sorry I really should have mentioned that I'm also running 
Debian Linux (sid-2.4.19).

-David <grimes at cs.washington.edu>




More information about the openssh-unix-dev mailing list