Batch and password access depending on hosts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I am trying to add secure shell to a system where there are a lot of scripts
which rsh
to remote hosts - these are called from applications and cron jobs which use
several user

Fortunately the rsh-ing is just between a small number of "core" machines.
However, it is
possible for any user to attempt to login to any of these machines from
"outside", and
in this case password authentication MUST be used.

The snail book recommends dedicated "locked-down automation" accounts for
running remote
scripts, but our existing system uses the SAME user accounts for running
remote scripts
and for logging-in from outside client machines. It would require a lot of
work to create
additional "automation" accounts, change all of the necessary scripts, and
then try to
fix the inevitable elusive problems caused by conflicting file ownerships
and permissions.

Effectively I'd need to force all users to have to log in remotely between
any 2 machines
via UNIX password authentication only. BUT for a specific subset of those
user accounts, and
between specific machines, have a non-default method of allowing remote
scripts to run via
passwordless public key authentication.

But I can't see how the sshd config file can be set to always force password
for some cases, and allow public key authentication in other cases.

Would I need to run TWO sets of sshd daemons with different config files
(one specifying
password auth and the other public key auth)? I guess I could arrange for
the "public key"
sshd daemon to run only on the machines which allow remote shells to be run
on them, and use the "from"
directive in the authorized_keys file to restrict which client machines can
invoke a remote
shell. But running two sets of sshd daemons seems a bit messy.

Or is there a way to do this using a single sshd config file?

Also I'm a little worried that having logged on to one of the "core"
machines, a user
could inadvertently edit or delete any of the files in ~/.ssh which could
stop the remote
scripts and cron jobs from working. I know that you can set the ownership of
these files
to root and give write access only to root, but a user could still do

    mv .ssh .ssh-disabled

I'd be more comfortable if all the user .ssh directories could be placed
somewhere else
which could only be read and written-to by root. Root would then have
complete control
over the user keys. I believe you can do this in SSH2, but we are using
Solaris 9 ssh
which is derived from an older version of OpenSSH.

Re: Batch and password access depending on hosts

You could configure publickey or hostbased authentication for these
accounts, restricted to the source addresses of the appropriate hosts.
Theses methods would fail for outside for connections, which would then
fall back to password authentication.

As for preventing users from modifying the authorization files: if you use
hostbased authentication, you can set ignore IgnoreRHost and
IgnoreUserKnownHosts.  For publickey, you could set AuthorizedKeysFile and
place the authorization files outside user home directories (assuming your
version of OpenSSH supports this); however, this would apply to all

Tectia allows greater flexibility in server configuration: you can have
completely different server settings based on the source address of the

  Richard Silverman

Site Timeline