[oclug] Rsync and SSH

Tue Mar 19 14:56:00 EST 2002

Sorry, I don't read oclug on a regular basis so it sometimes takes me a
while to respond.

If I understand, you trying to prevent users from using keys, except for
some users? You could try creating their authorized_keys files owned by
root, so that they can't edit/modify them. For that to work, you probably
have to edit the sshd_config file as well, and change the default key
location. If it was still their home directory, they could "rm -rf .ssh",
and recreate it on you. 
There may be a better way, that's all I could think of at the moment though.

Brian

-----Original Message-----
From: Ross Jordan [mailto:rjordan at student.math.uwaterloo.ca]
Sent: Monday, March 04, 2002 17:05
To: oclug at lists.oclug.on.ca
Subject: Re: [oclug] Rsync and SSH

> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C1C3BD.BB56A74D
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> 
> You can restrict what a particular key can be used for by prepending a few
> keywords to the line containing the key.
> e.g.
> 
> command="ls",no-pty,no-port-forwarding ssh-dss public_key_here==
> comment_here
> 
> will mean that this particular public key can only be used to get a
> directory listing. It won't give you a login terminal, and you can't use
it
> to set up port forwarding. These options are documented in the sshd man
page
> under the heading "AUTHORIZED_KEYS FILE FORMAT". Additional options are:
> 
> from
> command
> environment
> no-port-forwarding
> no-X11-forwarding
> no-agent-forwarding
> no-pty
> permitopen
> 
Here's a question --
is there a way to restrict PublicKey authentication, except
for a small subset of users ( regular users would login
with password authentication ).

-Ross

-- 
"Trying to make bits uncopyable is like trying to make water not wet.
The sooner people accept this, and build business models that take
this into account, the sooner people will start making money again". 
	-- Bruce Schneier 
_______________________________________________
oclug mailing list
oclug at lists.oclug.on.ca
http://www.oclug.on.ca/mailman/listinfo/oclug

----------------------------------------------------------------------------

This communication (including all attachments) is intended solely for the
use of the person or persons to whom it is addressed and should be treated
as a  confidential xwave communication.  If you are not the intended
recipient, any use, distribution, printing, or copying of this email is
strictly prohibited.  If you received this email in error, please
immediately delete it from your system and notify the originator.  Your
cooperation is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tux.oclug.on.ca/pipermail/oclug/attachments/20020319/c653ff1b/attachment.htm