Prevent interactive ssh login, but allow non-interactive?

Syth · 23-10-2005 9:17pm #1

Title says it all.

I want to allow non-interactive ssh login (eg scp, rsync, etc) to all users, deny interactive login except to users on a whitelist. Can this be done?

The server is running OpenSSH on OpenBSD.

niallb · 24-10-2005 1:24am

Edit: I see now that you want interactive logins for your whitelist.
I think you'll need to set PasswordAuthentication to yes
for that, but I'm not sure if this is enough to get your desired behaviour.
Hope it gets you nearly there anyway!

Yes.
You'll need the following options in sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no

and either add the users to a group and use
AllowGroups your_ssh_access_group
or list them all like this:
AllowUsers you user1 user2 user3@hostname

The user3@hostname form allows you to restrict a login as coming from a particular host.

Hope that helps,
NiallB

voxpop · 24-10-2005 8:11am

ssh -N

-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).

Syth · 24-10-2005 11:30am

Angry_Penguin wrote:

ssh -N

Users could not use the -N switch and get a shell. I want to prevent them from getting a shell.

niallb wrote:

Yes.
You'll need the following options in sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no

and either add the users to a group and use
AllowGroups your_ssh_access_group
or list them all like this:
AllowUsers you user1 user2 user3@hostname

The user3@hostname form allows you to restrict a login as coming from a particular host.

Hope that helps,
NiallB

That can prevent users from logging in (which I want), but prevents all users from using scp (for example), which I need.

I knew about Allow{Groups,Users}, but they prevent any and all types of logins, including non-interactive.

voxpop · 24-10-2005 1:08pm

Syth wrote:

Users could not use the -N switch and get a shell. I want to prevent them from getting a shell.

if you set the account shell to be something like /sbin/nologin - then the account can never get an interactive login, although I can see why you wouldnt want users messing with ssh arguments

you could also wrap the ssh commands in some sort of compiled code ie java/.net or something like that

Syth · 24-10-2005 4:45pm

Angry_Penguin wrote:

if you set the account shell to be something like /sbin/nologin - then the account can never get an interactive login, although I can see why you wouldnt want users messing with ssh arguments

Changing the shells is one way of doing it. It might be a bit of a headache, so I would prefer some kind of sshd_config option to change it.

you could also wrap the ssh commands in some sort of compiled code ie java/.net or something like that

We can kind do something like that. But it would be too much of a headache. Not .net though. I don't think Microsoft supports OpenBSD on sparc64.

niallb · 24-10-2005 8:44pm

I remember reading about this on freshmeat a few months back.
Looks like it might be the very fellow for a shell: scponly

Worth a shot.
NiallB

cgarvey · 25-10-2005 9:51am

Or if you use key-auth, you can limit the command(s) allowed in the autorized_keys file

niallb · 25-10-2005 11:34am

cgarvey wrote:

Or if you use key-auth, you can limit the command(s) allowed in the autorized_keys file

That's probably the best way to do it.
Much more flexible than my suggestion,
though it requires more key management.

NiallB

Prevent interactive ssh login, but allow non-interactive?

Comments