Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Batch and password access depending on hosts
January 16, 2005, 1:41 pm
rate this thread
to remote hosts - these are called from applications and cron jobs which use
Fortunately the rsh-ing is just between a small number of "core" machines.
However, it is
possible for any user to attempt to login to any of these machines from
in this case password authentication MUST be used.
The snail book recommends dedicated "locked-down automation" accounts for
scripts, but our existing system uses the SAME user accounts for running
and for logging-in from outside client machines. It would require a lot of
work to create
additional "automation" accounts, change all of the necessary scripts, and
then try to
fix the inevitable elusive problems caused by conflicting file ownerships
Effectively I'd need to force all users to have to log in remotely between
any 2 machines
via UNIX password authentication only. BUT for a specific subset of those
user accounts, and
between specific machines, have a non-default method of allowing remote
scripts to run via
passwordless public key authentication.
But I can't see how the sshd config file can be set to always force password
for some cases, and allow public key authentication in other cases.
Would I need to run TWO sets of sshd daemons with different config files
password auth and the other public key auth)? I guess I could arrange for
the "public key"
sshd daemon to run only on the machines which allow remote shells to be run
on them, and use the "from"
directive in the authorized_keys file to restrict which client machines can
invoke a remote
shell. But running two sets of sshd daemons seems a bit messy.
Or is there a way to do this using a single sshd config file?
Also I'm a little worried that having logged on to one of the "core"
machines, a user
could inadvertently edit or delete any of the files in ~/.ssh which could
stop the remote
scripts and cron jobs from working. I know that you can set the ownership of
to root and give write access only to root, but a user could still do
mv .ssh .ssh-disabled
I'd be more comfortable if all the user .ssh directories could be placed
which could only be read and written-to by root. Root would then have
over the user keys. I believe you can do this in SSH2, but we are using
Solaris 9 ssh
which is derived from an older version of OpenSSH.
- Richard E. Silverman
January 16, 2005, 7:17 pm
Re: Batch and password access depending on hosts
You could configure publickey or hostbased authentication for these
accounts, restricted to the source addresses of the appropriate hosts.
Theses methods would fail for outside for connections, which would then
fall back to password authentication.
As for preventing users from modifying the authorization files: if you use
hostbased authentication, you can set ignore IgnoreRHost and
IgnoreUserKnownHosts. For publickey, you could set AuthorizedKeysFile and
place the authorization files outside user home directories (assuming your
version of OpenSSH supports this); however, this would apply to all
Tectia allows greater flexibility in server configuration: you can have
completely different server settings based on the source address of the
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum