7

I have read several posts regarding restricting ALL users to Key authentication ONLY, however I want to force only a single user (svn) onto Key auth only, the rest can be key or password.

I read https://stackoverflow.com/questions/4241197/how-to-disable-password-authentication-for-every-users-except-several, however it seems the "match user" part of sshd_config is part of openssh-5.1. I am running CentOS 5.6 and only have OpenSSH 4.3. I have the following repos available at the moment.

$ yum repolist
Loaded plugins: fastestmirror
repo id                            repo name                                                                         status
base                               CentOS-5 - Base                                                                   enabled:  3,535
epel                               Extra Packages for Enterprise Linux 5 - x86_64                                    enabled:  6,510
extras                             CentOS-5 - Extras                                                                 enabled:    299
ius                                IUS Community Packages for Enterprise Linux 5 - x86_64                            enabled:    218
rpmforge                           RHEL 5 - RPMforge.net - dag                                                       enabled: 10,636
updates                            CentOS-5 - Updates                                                                enabled:    720
repolist: 21,918

I mainly use epel, rpmforge is used to the latest version (1.6) of subversion.

Is there any way to achieve this with my current setup? I don't want to restrict the server to keys only because if I lose my key I lose my server ;-)

Community
  • 1
Nick
  • 183
  • 3
  • 11

3 Answers3

14

Add a Match block to your sshd_config file. Something like this:

Match Group SSH_Key_Only_Users
    PasswordAuthentication no

Or if it's truly one user

Match User Bad_User
    PasswordAuthentication no

See man sshd_config for more details on what you can match and what restrictions you can put in it.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • That was the suggesting in http://stackoverflow.com/questions/4241197/how-to-disable-password-authentication-for-every-users-except-several - however it required OpenSSH 5.1 and I'm running 4.3 (I'd rather not upgrade to a version which isn't officially supported by CentOS 5.6). I checked `man sshd_config` and couldn't see any mention of `Match`. I agree, though, that if I were on 5.1 then this would be the answer (as it is in the other post), however I dont believe it will work in 4.3. – Nick Jul 04 '11 at 08:36
  • My apologies, didn't realize CentOS was using such an ancient version of SSHd. OpenSSH 4.3 is from Feb 1, 2006; what the heck are they still using that for? – Chris S Jul 04 '11 at 12:54
  • 1
    Not sure, but I assume it still receives security updates?! The full release is: `openssh.x86_64 4.3p2-72.el5_6.3` Interestingly, according to the following URL EL6 should be up to OpenSSH 5.3 now... https://github.com/repoforge/rpms/blob/master/specs/openssh/openssh.spec My server reports: `$ cat /etc/redhat-release CentOS release 5.6 (Final)` It's at times like this when I appreciate the simplicity of OS's like Windows and, to some extent, OS X too. You don't have to faff about with all this dependency malarkey ;) – Nick Jul 04 '11 at 14:24
4

You could set the Parameter PermitEmptyPasswords no in your sshd configuration, and delete the passwords for some users, to force ssh key authentication for them.

Thomas Berger
  • 1,700
  • 13
  • 22
  • That seems to work well. I guess I just have to trust other users that SSH in not to `su svn`. Is there an easy way to stop that (but maybe still allow `sudo su svn`?) –  Jul 01 '11 at 13:25
  • You could limit the usage of "su" to a specific group. You should have a look at `/etc/pam.d/su` there you will find this line: `# Uncomment the following line to require a user to be in the "wheel" group.` – Thomas Berger Jul 01 '11 at 13:54
  • That works REALLY well - thank you! I have also configured scponlyc on the box as well so some users can be root jailed. – Nick Jul 04 '11 at 11:24
2

I just learned the hard way that CentOS 5 (with latest updates as of today) does not support the Match command by locking myself out of a remote server. Fun times.

So be warned if you try add the Match command to CE5 and you do service sshd restart it won't and as soon as you close your sshd client you are locked out until you can log back in via console to delete those 2 lines.

fred
  • 31
  • 1
  • Apologies, "(..) it won't (..)" what exactly? It won't restart? It won't add? Are you aware if the _existing_ sessions be dropped on the restart please and thanks? – muthuh Aug 22 '23 at 11:39