1 |
On Mon, Jul 1, 2013 at 6:24 PM, Grant <emailgrant@×××××.com> wrote: |
2 |
> My backup user needs a shell on the backup server in order to execute |
3 |
> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in |
4 |
> order to SSH in. My authorized_keys file is locked-down. The second |
5 |
> field for the user in /etc/shadow is an exclamation point which I |
6 |
> think means the user can not log in with a password. Should I take |
7 |
> any additional steps to prevent that user from logging in and not |
8 |
> being subject to the authorized_keys restrictions? |
9 |
|
10 |
There are a few distinct problems and solutions that come to mind. |
11 |
Here's my take as an uncertified non-expert: |
12 |
|
13 |
Problem: I want different SSHD config for different users |
14 |
Solution: use the "Match" directive in sshd_config (as Adam already |
15 |
pointed out) and enable or disable password authentication for users |
16 |
who are exceptions to the system-wide setting |
17 |
|
18 |
Problem: I don't want the backup user to be able to login using a |
19 |
password anywhere except ssh |
20 |
Solution 1: set the password to an * in /etc/shadow (disabled password |
21 |
login permanently) |
22 |
Solution 2: prefix the existing password with an ! in /etc/shadow |
23 |
(this disables pw login temporarily, remove the ! to restore the |
24 |
password) |
25 |
Solution 3: set the user's shell to /sbin/nologin in /etc/passwd |
26 |
Note: there are slight differences between these approaches, see "man |
27 |
5 passwd" for details |
28 |
|
29 |
Problem: backup user should only be allowed to run the rsync command |
30 |
Solution 1: set a forced command in sshd_config for that user |
31 |
Solution 2: set a forced command in authorized_keys for that key |
32 |
|
33 |
I think if you combine that with what you've already done, that user |
34 |
should be well and truly locked down. That is based on using the |
35 |
standard Gentoo configuration... I'm sure there are 1000 different |
36 |
ways to do it and probably a lot of them better than what I suggested, |
37 |
so take it FWIW. :) |