How to setup accounts with SSH connection rights only - SSH

This is a discussion on How to setup accounts with SSH connection rights only - SSH ; I want to setup cygwin sshd on an SBS2003 server, to allow users to log on to their workstations. What I don't want however is for the users to log on with their SBS domain credentials. I want them to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: How to setup accounts with SSH connection rights only

  1. How to setup accounts with SSH connection rights only

    I want to setup cygwin sshd on an SBS2003 server, to allow users to log
    on to their workstations. What I don't want however is for the users to
    log on with their SBS domain credentials.

    I want them to log on with totally unprivileged accounts, which are
    either cygwin only accounts that are not present in the Windows
    accounts, or Windows accounts that are not part of the domain and have
    only the minimum privileges required for them to log on to ssh and
    forward their connections to their desktops.

    I don't even want them to have the rights to amend their ssh keys by
    running ssh_keygen after the logon to ssh or even see them, unless I
    permit it.

    How do I go about this?

    Prof Chen


  2. Re: How to setup accounts with SSH connection rights only

    >>>>> "PC" == professor chen writes:

    PC> I want to setup cygwin sshd on an SBS2003 server, to allow users
    PC> to log on to their workstations. What I don't want however is for
    PC> the users to log on with their SBS domain credentials.

    If you allow publickey only, this will happen, since the server needs the
    password (or Kerberos/NTLM via GSSAPI) to obtain domain credentials.

    PC> I don't even want them to have the rights to amend their ssh keys
    PC> by running ssh_keygen after the logon to ssh or even see them,
    PC> unless I permit it.

    The "or even see them" part doesn't make sense, since in order to log in
    with publickey they must have the private keys, from which one can always
    derive the public components.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread