SSHd restriction per user basis

ssh

I need to restrict certain user(s) so that they can only SSH in using ssh keys and other users can login using key or password.

an example:

i'd like for root user to be able to login remotely (through sshd) using key, so no password would be accepted (even if password is right)

and for other users (everyone on the system) they can log in using key and/or password

how would I do that?

Best Answer

What I would do is to set /etc/sshd/sshd_config such that:

PermitRootLogin without-password

just for extra security and to avoid having the root password locked (it would only allow root to log in using a key)

I would instead use AllowGroups instead of AllowUser, as for me it would be more convenient to add users to a group rather than to sshd_config but that could depend on your personal preferences.

Related Solutions

Ssh – How to recover from “Too many Authentication Failures for user root”

Are you sure that root login to ssh is allowed?

Check sshd_config and verify that root login is permitted. sshd will need to be restarted if the setting changes.

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

Ssh – How to recover from “Too many Authentication Failures for user root”

Ssh-agent forwarding and sudo to another user

Related Topic