Gentoo Archives: gentoo-user

From: Josh Cepek <josh.cepek@×××.net>
To: gentoo-user@l.g.o
Subject: [gentoo-user] sshd Authentication Restrictions
Date: Tue, 30 Oct 2007 15:49:15
1 I want to harden my ssh server by restricting most users to Public Key
2 authentication only. I can set "ChallengeResponseAuthentication no" in
3 the config file, but I can't figure out how to then allow a user or
4 group within a Match section to use Keyboard-Interactive authentication.
5 "ChallengeResponseAuthentication" is not valid within a Match section.
6 When this directive is added globally there seems to be no way to
7 enable it again under a Match section. I also tried to set the global
8 option "KbdInteractiveAuthentication no", but this doesn't seem to be
9 valid outside of a Match section since users can connect without public
10 keys (the sshd process does accept this option, but it doesn't seem to
11 actually do anything outside of a Match section.)
13 At this point the only way I've found to do what I want is to add all
14 users I want to restrict to a group, create a Match section for this
15 group, and use the directive "KbdInteractiveAuthentication no". While
16 this works, I'd like to know if there is a way I can disable it as part
17 of the global sshd config and enable this authentication only for
18 specific users.
20 Thanks for any ideas.
22 --
23 Josh


File name MIME type
signature.asc application/pgp-signature