prompt or not prompt for the password depending on the user

prompt or not prompt for the password depending on the user

Post by wong_powa » Fri, 22 Jun 2007 07:03:05


I want the server to prompt or not prompt for the password depending
on the user.
Can host based authentication (using ~/.ssh/authorized_keys, etc) do
that?
e.g.
# ssh john@server
prompt for password

# ssh powah@server
no prompt for password
 
 
 

prompt or not prompt for the password depending on the user

Post by Dave » Fri, 22 Jun 2007 09:06:42


Tat sure is secure!

 
 
 

prompt or not prompt for the password depending on the user

Post by wong_powa » Fri, 22 Jun 2007 09:58:41


For the known client C to ssh to server, no prompt for password for
the user powah, else still prompt for password for all unknown
clients. This is host based authentication.
 
 
 

prompt or not prompt for the password depending on the user

Post by wong_powa » Fri, 22 Jun 2007 12:36:33


To clarify:
I want the server to prompt or not prompt for the password depending
on the user and client.
How to do that?
Can host based authentication (using ~/.ssh/authorized_keys, etc) do
that?
e.g.
from a known client,
# ssh john@server
prompt for password

# ssh powah@server
no prompt for password

from an unknown client,
# ssh john@server
prompt for password

# ssh powah@server
prompt for password
 
 
 

prompt or not prompt for the password depending on the user

Post by per » Sat, 23 Jun 2007 04:55:22

In article < XXXX@XXXXX.COM >
XXXX@XXXXX.COM writes:

HostbasedAuthentication doesn't use authorized_keys, that's for
PubkeyAuthentication. Anyway the answer is "sort of" for both - i.e. it
can be set up the way you want, but you normally can't make sure it
stays that way.

HostbasedAuthentication isn't used much, since the security is pretty
weak - I believe it's disabled by default in most sshd installations.
But anyway you could set it up with the client's public key in that
user's ~/.shosts file, and IgnoreRhosts=no in sshd_config. But then
normally nothing prevents that user from adding other client public
keys to his ~/.shosts, or other users from adding any client public keys
to theirs.

With PubkeyAuthentication, you could set up that user's
~/.ssh/authorized_keys with the *user's* public key, and the added
restriction of a from= option. But then normally nothing prevents that
user from removing that restriction, or other users from putting
whatever they want in their ~/.ssh/authorized_keys. Of course this
situation is the default in most sshd installations.

All of the above applies to OpenSSH, don't know about others, you didn't
say what SSH implementation you were asking about.

--Per Hedeland
XXXX@XXXXX.COM
 
 
 

prompt or not prompt for the password depending on the user

Post by wong_powa » Sat, 23 Jun 2007 09:47:45


I use PubkeyAuthentication on OpenSSH.
After the user login, then a special program (instead of the default
shell) will start, parse the user commands and do only what is allowed
for that user.
Then the user cannot change its setting.
 
 
 

prompt or not prompt for the password depending on the user

Post by per » Sat, 23 Jun 2007 17:57:21

In article < XXXX@XXXXX.COM >
XXXX@XXXXX.COM writes:



OK, that possibility is why I sprinkled all those "normally" over the
text. Then PubkeyAuthentication set up as above should be fine - see the
sshd man page for the details of the format to use in authorized_keys.

--Per Hedeland
XXXX@XXXXX.COM
 
 
 

prompt or not prompt for the password depending on the user

Post by Dave » Sun, 24 Jun 2007 22:24:17


Sorry, I did not read the line about host-based authentication - I
incorrectly assumed you wanted it to be based on just the username (as
the subject might imply).

Sorry.