SSH pubkey or password based on user group - SSH

This is a discussion on SSH pubkey or password based on user group - SSH ; Hi, What I was trying to do is not to allow users that are in root group to login using ssh in our server without having their public key while every other user can choose whether they will login using ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: SSH pubkey or password based on user group

  1. SSH pubkey or password based on user group

    Hi,

    What I was trying to do is not to allow users that are in root group to
    login using ssh in our server without having their public key while
    every other user can choose whether they will login using their password
    or their public key.
    I was searching through pam modules without success if there was a way
    of doing this through pam but I couldn't find any module that will have
    my job done. Does anyone have any clue if there is a way of doing this

    Thanks
    Nikos

  2. Re: SSH pubkey or password based on user group

    On 26 Oct, 16:25, Nikos Nikoleris wrote:
    > Hi,
    >
    > What I was trying to do is not to allow users that are in root group to
    > login using ssh in our server without having their public key while
    > every other user can choose whether they will login using their password
    > or their public key.
    > I was searching through pam modules without success if there was a way
    > of doing this through pam but I couldn't find any module that will have
    > my job done. Does anyone have any clue if there is a way of doing this


    Would it work simply to leave a cron job in place to scream bloody
    murder if anyone puts root keys on the server? Or to allow root logins
    only on another port, with your sshd set something like this:

    On port 22:

    Port 22
    PermitRootLogin no

    And on port 2022

    Port 2022
    PubkeyAuthentication no
    AllowGroups root

    Does that make sense? Manipulating a single SSH daemon to do what you
    ask is going a bit far.


  3. Re: SSH pubkey or password based on user group

    Nico wrote:
    > On 26 Oct, 16:25, Nikos Nikoleris wrote:
    >> Hi,
    >>
    >> What I was trying to do is not to allow users that are in root group to
    >> login using ssh in our server without having their public key while
    >> every other user can choose whether they will login using their password
    >> or their public key.
    >> I was searching through pam modules without success if there was a way
    >> of doing this through pam but I couldn't find any module that will have
    >> my job done. Does anyone have any clue if there is a way of doing this

    >
    > Would it work simply to leave a cron job in place to scream bloody
    > murder if anyone puts root keys on the server? Or to allow root logins
    > only on another port, with your sshd set something like this:
    >
    > On port 22:
    >
    > Port 22
    > PermitRootLogin no
    >
    > And on port 2022
    >
    > Port 2022
    > PubkeyAuthentication no
    > AllowGroups root
    >
    > Does that make sense? Manipulating a single SSH daemon to do what you
    > ask is going a bit far.
    >


    Maybe this can do the job but I was hoping that one instance of the ssh
    daemon was enough. What I thought at first was to change the way users
    authenticate so maybe use some other pam module. Those that I have
    already found - pam_ssh.so, pam_ssh_agent.so pam_if.so maybe a
    combination of them - can do something similar but not what I want
    exactly. I was hoping that there is a way to use a combination of these
    modules to do what I ask. Am I wrong isn't pubkey authentication
    something that pam handles just as it is with passwords? If this is true
    then there can be a way of implementing or using some modules that does
    that.

    Thanks
    Nikos

  4. Re: SSH pubkey or password based on user group

    Nikos Nikoleris wrote:
    > Hi,
    >
    > What I was trying to do is not to allow users that are in root group to
    > login using ssh in our server without having their public key while
    > every other user can choose whether they will login using their password
    > or their public key.
    > I was searching through pam modules without success if there was a way
    > of doing this through pam but I couldn't find any module that will have
    > my job done. Does anyone have any clue if there is a way of doing this


    hello.

    I'm posting in case there is someone else who wants to do that.

    finally, we did it ... ;-)

    /etc/pam.d/ssh:
    auth required pam_listfile.so item=group sense=deny
    file=/etc/ssh/sshd.deny onerr=succeed

    /etc/ssh/sshd.deny:
    pubkeyssh

    so any member of pubkeyssh group is allowed to login only with a pubkey.

    I 'm sure there is an easier way to do it but it's more about pam than ssh.

    cheers,

    --
    Anastassios Nanos


    1024D/CCCE759D 2007/04/29 Anastassios Nanos
    Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE 759D

  5. Re: SSH pubkey or password based on user group

    >>>>> "AN" == Anastassios Nanos writes:

    AN> Nikos Nikoleris wrote:
    >> Hi,
    >>
    >> What I was trying to do is not to allow users that are in root
    >> group to login using ssh in our server without having their public
    >> key while every other user can choose whether they will login using
    >> their password or their public key. I was searching through pam
    >> modules without success if there was a way of doing this through
    >> pam but I couldn't find any module that will have my job done. Does
    >> anyone have any clue if there is a way of doing this


    AN> hello.

    AN> I'm posting in case there is someone else who wants to do that.

    AN> finally, we did it ... ;-)

    AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
    AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed

    AN> /etc/ssh/sshd.deny: pubkeyssh

    AN> so any member of pubkeyssh group is allowed to login only with a
    AN> pubkey.

    AN> I 'm sure there is an easier way to do it but it's more about pam
    AN> than ssh.

    AN> cheers,

    AN> -- Anastassios Nanos

    AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos
    AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
    AN> 759D

    [sshd_config]

    match group root
    passwordauthentication no

    --
    Richard Silverman
    res@qoxp.net


  6. Re: SSH pubkey or password based on user group

    On 28 Oct, 01:07, "Richard E. Silverman" wrote:
    > >>>>> "AN" == Anastassios Nanos writes:

    >
    > AN> Nikos Nikoleris wrote:
    > >> Hi,
    > >>
    > >> What I was trying to do is not to allow users that are in root
    > >> group to login using ssh in our server without having their public
    > >> key while every other user can choose whether they will login using
    > >> their password or their public key. I was searching through pam
    > >> modules without success if there was a way of doing this through
    > >> pam but I couldn't find any module that will have my job done. Does
    > >> anyone have any clue if there is a way of doing this

    >
    > AN> hello.
    >
    > AN> I'm posting in case there is someone else who wants to do that.
    >
    > AN> finally, we did it ... ;-)
    >
    > AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
    > AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed
    >
    > AN> /etc/ssh/sshd.deny: pubkeyssh
    >
    > AN> so any member of pubkeyssh group is allowed to login only with a
    > AN> pubkey.
    >
    > AN> I 'm sure there is an easier way to do it but it's more about pam
    > AN> than ssh.
    >
    > AN> cheers,
    >
    > AN> -- Anastassios Nanos
    >
    > AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos
    > AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
    > AN> 759D
    >
    > [sshd_config]
    >
    > match group root
    > passwordauthentication no
    >
    > --
    > Richard Silverman
    > r...@qoxp.net



    Ahh. That keeps you out of mucking with the PAM configuration files,
    which is a bit dangerous to do in systems where software may be
    upgraded or configuration tools may edit them in ways that would
    require resetting them manually, which could be awkards if your SSH is
    messed up.

    I think Richard is the winner, and still champeen!


  7. Re: SSH pubkey or password based on user group

    "Richard E. Silverman" writes:

    >>>>>> "AN" == Anastassios Nanos writes:


    > AN> Nikos Nikoleris wrote:
    > >> Hi,
    > >>
    > >> What I was trying to do is not to allow users that are in root
    > >> group to login using ssh in our server without having their public
    > >> key while every other user can choose whether they will login using
    > >> their password or their public key. I was searching through pam
    > >> modules without success if there was a way of doing this through
    > >> pam but I couldn't find any module that will have my job done. Does
    > >> anyone have any clue if there is a way of doing this


    > AN> hello.


    > AN> I'm posting in case there is someone else who wants to do that.


    > AN> finally, we did it ... ;-)


    > AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
    > AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed


    > AN> /etc/ssh/sshd.deny: pubkeyssh


    > AN> so any member of pubkeyssh group is allowed to login only with a
    > AN> pubkey.


    > AN> I 'm sure there is an easier way to do it but it's more about pam
    > AN> than ssh.


    > AN> cheers,


    > AN> -- Anastassios Nanos


    > AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos
    > AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
    > AN> 759D


    >[sshd_config]


    >match group root
    > passwordauthentication no




    Does this work? From man sshd_config

    ***********************************
    Match Introduces a conditional block. If all of the criteria on the
    Match line are satisfied, the keywords on the following lines
    override those set in the global section of the config file,
    until either another Match line or the end of the file. The
    arguments to Match are one or more criteria-pattern pairs.
    The
    available criteria are User, Group, Host, and Address. Only a
    subset of keywords may be used on the lines following a Match
    keyword. Available keywords are AllowTcpForwarding,
    ForceCommand, GatewayPorts, PermitOpen, X11DisplayOffset,
    X11Forwarding, and X11UseLocalHost.
    **************************************
    This seems to say only those 7 keywords are allowed, not
    passwordauthentication. Am I misreading it? Or is it just wrong?


  8. Re: SSH pubkey or password based on user group

    >>>>> "Unruh" == Unruh writes:

    Unruh> "Richard E. Silverman" writes:
    >>>>>>> "AN" == Anastassios Nanos writes:


    AN> Nikos Nikoleris wrote:
    >> >> Hi,
    >> >>
    >> >> What I was trying to do is not to allow users that are in root
    >> >> group to login using ssh in our server without having their

    >> public >> key while every other user can choose whether they will
    >> login using >> their password or their public key. I was searching
    >> through pam >> modules without success if there was a way of doing
    >> this through >> pam but I couldn't find any module that will have
    >> my job done. Does >> anyone have any clue if there is a way of
    >> doing this


    AN> hello.

    AN> I'm posting in case there is someone else who wants to do that.

    AN> finally, we did it ... ;-)

    AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
    AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed

    AN> /etc/ssh/sshd.deny: pubkeyssh

    AN> so any member of pubkeyssh group is allowed to login only with a
    AN> pubkey.

    AN> I 'm sure there is an easier way to do it but it's more about pam
    AN> than ssh.

    AN> cheers,

    AN> -- Anastassios Nanos

    AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos
    AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
    AN> 759D

    >> [sshd_config]


    >> match group root passwordauthentication no




    Unruh> Does this work? From man sshd_config

    Unruh> *********************************** Match Introduces a
    Unruh> conditional block. If all of the criteria on the Match line
    Unruh> are satisfied, the keywords on the following lines override
    Unruh> those set in the global section of the config file, until
    Unruh> either another Match line or the end of the file. The
    Unruh> arguments to Match are one or more criteria-pattern pairs. The
    Unruh> available criteria are User, Group, Host, and Address. Only a
    Unruh> subset of keywords may be used on the lines following a Match
    Unruh> keyword. Available keywords are AllowTcpForwarding,
    Unruh> ForceCommand, GatewayPorts, PermitOpen, X11DisplayOffset,
    Unruh> X11Forwarding, and X11UseLocalHost.
    Unruh> ************************************** This seems to say only
    Unruh> those 7 keywords are allowed, not passwordauthentication. Am I
    Unruh> misreading it? Or is it just wrong?

    The man page from the latest version (4.7) does list
    passwordauthentication, and I just tested it; it does work.

    --
    Richard Silverman
    res@qoxp.net


  9. Re: SSH pubkey or password based on user group

    Nico wrote:
    > On 28 Oct, 01:07, "Richard E. Silverman" wrote:
    >> [sshd_config]
    >>
    >> match group root
    >> passwordauthentication no
    >>

    thanx ;-)
    >
    >
    > Ahh. That keeps you out of mucking with the PAM configuration files,
    > which is a bit dangerous to do in systems where software may be
    > upgraded or configuration tools may edit them in ways that would
    > require resetting them manually, which could be awkards if your SSH is
    > messed up.


    well, the only occasion in which something could be messed up is if
    pam_listfiles.so becomes deprecated. you are right, as long as openssh
    provides the functionality we want, we should use it.
    The thing is, we 're not going to upgrade to a version that supports
    that for a while (we're in 4.3), so we'll have to stick to this ugly
    solution with pam.

    >
    > I think Richard is the winner, and still champeen!
    >

    indeed he is ;-)

    thanx again for your help guys!

    --
    Anastassios Nanos


    1024D/CCCE759D 2007/04/29 Anastassios Nanos
    Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE 759D

  10. Re: SSH pubkey or password based on user group

    Richard E. Silverman wrote:
    > [sshd_config]
    >
    > match group root
    > passwordauthentication no
    >


    Thanks Richard! Couldn't that be easier...We though it was something
    more complicated that ssh couldn't handle and that's why we were looking
    at pam's config! Anyway Richard's solution seems to be the easiest and
    the most straightforward!

    Thanks for the help
    Nikos

+ Reply to Thread