Is it possible to restrict the use of private keys to specific users ? - SSH

This is a discussion on Is it possible to restrict the use of private keys to specific users ? - SSH ; Hi I would like to restrict the use of public/private key authentication to some users and not all. It looks like this is not possible with openssh. Either every user is allowed or no user is allowed (server setting). The ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Is it possible to restrict the use of private keys to specific users ?

  1. Is it possible to restrict the use of private keys to specific users ?

    Hi

    I would like to restrict the use of public/private key authentication
    to some users and not all.

    It looks like this is not possible with openssh. Either every user is
    allowed or no user is allowed (server setting).

    The objective is to force users to enter a password and to prevent them
    from storing their private keys on their workstations which are
    regarded as non-secure. A private key would be allowed for some
    specific users.

    Is it possible to do that with openssh ?

    Thanks


  2. Re: Is it possible to restrict the use of private keys to specific users ?

    On 2006-02-15, jona.pub@gmail.com wrote:
    > I would like to restrict the use of public/private key authentication
    > to some users and not all.
    >
    > It looks like this is not possible with openssh. Either every user is
    > allowed or no user is allowed (server setting).
    >
    > The objective is to force users to enter a password and to prevent them
    > from storing their private keys on their workstations which are
    > regarded as non-secure. A private key would be allowed for some
    > specific users.
    >
    > Is it possible to do that with openssh ?


    Not directly, however you can set AuthorizedKeysFile in sshd_config to
    a root-owned directory with an absolute path, eg

    AuthorizedKeysFile /etc/ssh/userkeys/%u

    and then create and chown /etc/ssh/userkeys/[username] for the users
    for which public-key is permitted.

    It would be nice if OpenSSH had better granularity for things like this,
    though.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread