| 1 |
On Mon, Jul 1, 2013 at 6:24 PM, Grant <emailgrant@×××××.com> wrote: |
| 2 |
> My backup user needs a shell on the backup server in order to execute |
| 3 |
> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in |
| 4 |
> order to SSH in. My authorized_keys file is locked-down. The second |
| 5 |
> field for the user in /etc/shadow is an exclamation point which I |
| 6 |
> think means the user can not log in with a password. Should I take |
| 7 |
> any additional steps to prevent that user from logging in and not |
| 8 |
> being subject to the authorized_keys restrictions? |
| 9 |
|
| 10 |
There are a few distinct problems and solutions that come to mind. |
| 11 |
Here's my take as an uncertified non-expert: |
| 12 |
|
| 13 |
Problem: I want different SSHD config for different users |
| 14 |
Solution: use the "Match" directive in sshd_config (as Adam already |
| 15 |
pointed out) and enable or disable password authentication for users |
| 16 |
who are exceptions to the system-wide setting |
| 17 |
|
| 18 |
Problem: I don't want the backup user to be able to login using a |
| 19 |
password anywhere except ssh |
| 20 |
Solution 1: set the password to an * in /etc/shadow (disabled password |
| 21 |
login permanently) |
| 22 |
Solution 2: prefix the existing password with an ! in /etc/shadow |
| 23 |
(this disables pw login temporarily, remove the ! to restore the |
| 24 |
password) |
| 25 |
Solution 3: set the user's shell to /sbin/nologin in /etc/passwd |
| 26 |
Note: there are slight differences between these approaches, see "man |
| 27 |
5 passwd" for details |
| 28 |
|
| 29 |
Problem: backup user should only be allowed to run the rsync command |
| 30 |
Solution 1: set a forced command in sshd_config for that user |
| 31 |
Solution 2: set a forced command in authorized_keys for that key |
| 32 |
|
| 33 |
I think if you combine that with what you've already done, that user |
| 34 |
should be well and truly locked down. That is based on using the |
| 35 |
standard Gentoo configuration... I'm sure there are 1000 different |
| 36 |
ways to do it and probably a lot of them better than what I suggested, |
| 37 |
so take it FWIW. :) |
Archives