[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Not allow users to change passwd




Speaking of SSH & keys, is there a way to make sure that a key has a
passphrase? (Or do I need to hack sshd to do this?)

Tor

On Wed, 15 Sep 1999, Peter Galbavy wrote:

> On Wed, Sep 15, 1999 at 11:23:59AM +0200, Tony Sarendal wrote:
> > I have a server (yes my old crappy one) where people can log
> > in only if they've sent me their public ssh key.
> > 
> > I want to disable their regular Unix password, and make sure
> > they can't change it.
> > 
> > What is the best way of doing this ?
> 
> man sshd
> 
> One of the config file options is to disable normal password access.
> How you get the authorized_keys file there in the first place is left
> as an exercise for the reader:
> 
>        PasswordAuthentication
> 		Specifies  whether   password   authentication is
> 		allowed.  The default is "yes".
> 
> BTW The way we run it (or will, in real life very soon) is to gather
> all the authorized key files into a single directory (/etc/ssh/keys)
> and use a slightly hacked version of ssh to check only there for the
> public keys.
> 
> This give >us< two benefits - (1) No home directory or shared home
> directories and (2) with appropriate perms, only *we* can change the
> keys or the directory, so users cannot tamper with who is allowed in
> to their accounts - on the assumption that they consider their key 
> important enough not to give away.
> 
> Small, untidy patch attached, and it is assumed that ssh is built
> using --with-etcdir=/etc/ssh - this is *not* the standard port
> settings.
> 
> Regards,
> -- 
> Peter Galbavy
> Knowledge Matters Ltd
> http://www.knowledge.com/
>