Matt Brown asked if I could think of any way to allow a certain group of users to scp into a host and use a password, while requiring a valid key pair for most other users. Perry suggested a solution to this a while ago, so I sat down and had a quick look at it, and got it working.<\/p>\n
I configured sshd such that:<\/p>\n
[code]<\/p>\n
PasswordAuthentication no
\nChallengeResponseAuthentication yes
\nUsePAM yes
\n[\/code]<\/p>\n
This bypasses direct \/etc\/passwd auth, but allows standard PAM based auth via the ChallengeResponseAuthentication mechanism. This will allow everyone to login with a password if possible, so we need to configure pam. For this, I used the pam_listfile module, checking that the user had a particular shell, \/usr\/bin\/scponly, as their shell:<\/p>\n
[code]<\/p>\n
cat “\/usr\/bin\/scponly” > \/etc\/scpshells<\/p>\n
[\/code]<\/p>\n
I then edited \/etc\/pam.d\/sshd:<\/p>\n
[code]<\/p>\n
auth required pam_env.so
\nauth required pam_listfile.so item=shell sense=allow file=\/etc\/scpshells onerr=fail
\nauth sufficient pam_unix.so likeauth nullok
\nauth required pam_deny.so
\nauth required pam_nologin.so<\/p>\n
session required pam_limits.so
\nsession required pam_unix.so<\/p>\n
account required pam_unix.so<\/p>\n
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
\npassword sufficient pam_unix.so nullok md5 shadow use_authtok
\npassword required pam_deny.so<\/p>\n
[\/code]<\/p>\n
I probably don’t need all of that in the sshd pam snippet, but I just dumped the contents of the included files into to to make editing it easier.<\/p>\n
To test this I added \/bin\/bash to \/etc\/scpshells, and verified that I could ssh in by using a pasword. I then removed it, and verified that I could no longer ssh in with a password. Combine this with a suitable shell (\/usr\/bin\/scponly), and I can create users that can scp in with a password – or with a key if they care – but cannot get a local shell; all other users cannot authenticate via PAM, and so must provide a valid key.<\/p>\n","protected":false},"excerpt":{"rendered":"
Matt Brown asked if I could think of any way to allow a certain group of users to scp into a host and use a password, while requiring a valid key pair for most other users. Perry suggested a solution to this a while ago, so I sat down and had a quick look at […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,9,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/posts\/12"}],"collection":[{"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/comments?post=12"}],"version-history":[{"count":0,"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/posts\/12\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/media?parent=12"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/categories?post=12"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.meta.net.nz\/~daniel\/blog\/wp-json\/wp\/v2\/tags?post=12"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}