Month: October 2006

Restricting ssh password auth by group or shell

Post author By daniel
Post date October 30, 2006
No Comments on Restricting ssh password auth by group or shell

Matt Brown asked if I could think of any way to allow a certain group of users to scp into a host and use a password, while requiring a valid key pair for most other users. Perry suggested a solution to this a while ago, so I sat down and had a quick look at it, and got it working.

I configured sshd such that:

[code]

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
[/code]

This bypasses direct /etc/passwd auth, but allows standard PAM based auth via the ChallengeResponseAuthentication mechanism. This will allow everyone to login with a password if possible, so we need to configure pam. For this, I used the pam_listfile module, checking that the user had a particular shell, /usr/bin/scponly, as their shell:

[code]

cat “/usr/bin/scponly” > /etc/scpshells

[/code]

I then edited /etc/pam.d/sshd:

[code]

auth required pam_env.so
auth required pam_listfile.so item=shell sense=allow file=/etc/scpshells onerr=fail
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
auth required pam_nologin.so

session required pam_limits.so
session required pam_unix.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

[/code]

I probably don’t need all of that in the sshd pam snippet, but I just dumped the contents of the included files into to to make editing it easier.

To test this I added /bin/bash to /etc/scpshells, and verified that I could ssh in by using a pasword. I then removed it, and verified that I could no longer ssh in with a password. Combine this with a suitable shell (/usr/bin/scponly), and I can create users that can scp in with a password – or with a key if they care – but cannot get a local shell; all other users cannot authenticate via PAM, and so must provide a valid key.

General WLUG

Backspace in Firefox 2

As part of my upgrade to Edgy the other day, Firefox was upgraded to 2.0. It’s been upgraded every day since then, and is I think finally running a real 2.0 build

[code]

$ apt-cache show firefox | grep Version
Version: 2.0+0dfsg-0ubuntu3
[/code]

The biggest interface changes I’ve noticed to Firefox 2 so far include some cosmetic changes to the tab panel layout, which I’m mostly used to, and the ‘backspace’ button now no longer steps backwards in your history.

This behaviour is controllable via about:config however. Setting the following will revert to the old behaviour.
[code]

browser.backspace_action = 0
[/code]

General WLUG

Edgy Eft RC1 announced

After seeing this announcement for the Edgy Eft RC1 release, I decided to upgrade my Dapper laptop to Edgy. Thanks to the NZ mirror already being up to date, it didn’t take long to download the 700MB of packages that I needed.

I’d like to say the upgrade went smoothly, but it didn’t. Part of that is my own fault – I accidentally used apt-get instead of aptitude to handle the upgrade, and so a lot of packages were missed, and some dependency resolution was fumbled which meant the upgrade process broke hard along the way.

After manually removing a bunch of packages then getting the upgrade to restart, then repeating “aptitude dist-upgrade” about 6 times after it thought it’d finished, each time installing a couple of new packages, and then finally rebooting one more time because I couldn’t get X to start again, it all looked good.

Except that when I logged in, GNOME didn’t appear to start. I killed X and added a new user, then logged in as them – worked fine. Tried my user – no go. I spent a long time trying to move various GNOME configs out of the way, and eventually resorted to creating a new blank homedir for myself – still wouldn’t work. So I rebooted one more time and it started working after that. Very strange.

I’d suggest waiting for the final release to upgrade, but if you do go ahead, make absolutely sure you use aptitude and not apt-get. It may also work better if you use the CD and boot into an upgrade mode, I can’t comment.

I would file a bug, but I’m not sure it’ll help. I can’t pin down what was wrong because I used the wrong tool to upgrade. I have a Dapper install on my desktop at home, and I’ll try upgrading that next week when I get some free time, however it’ll probably “just work” by then anyway.

New things noticed in Edgy Eft so far:

Firefox 2
Network-manager-applet has a dialup account plugin.

Yeah. It looks the same. Edgy does have new features under the hood, but I haven’t looked into those yet.

Update: Yeah, it’s called Edgy Eft, not Efty Edge.