From cliffo@u.washington.edu Sat Mar 9 18:36:18 2002 Received: from mailscan2.cac.washington.edu (mailscan2.cac.washington.edu [140.142.33.16]) by lists.u.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with SMTP id g2A2aHnJ043726 for ; Sat, 9 Mar 2002 18:36:17 -0800 Received: FROM mxu1.u.washington.edu BY mailscan2.cac.washington.edu ; Sat Mar 09 18:36:16 2002 -0800 Received: from mxout1.cac.washington.edu (mxout1.cac.washington.edu [140.142.32.5]) by mxu1.u.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with ESMTP id g2A2aGc6027390 for ; Sat, 9 Mar 2002 18:36:16 -0800 Received: from mailscan-out1.cac.washington.edu (mailscan-out1.cac.washington.edu [140.142.32.17]) by mxout1.cac.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with SMTP id g2A2aGxZ001689 for ; Sat, 9 Mar 2002 18:36:16 -0800 Received: FROM dante09.u.washington.edu BY mailscan-out1.cac.washington.edu ; Sat Mar 09 18:36:15 2002 -0800 Received: from localhost (cliffo@localhost) by dante09.u.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with ESMTP id g2A2aFGk060362 for ; Sat, 9 Mar 2002 18:36:15 -0800 Date: Sat, 9 Mar 2002 18:36:15 -0800 (PST) From: "C. Olmsted" To: UW Linux Group Subject: Re: SSH2 -N feature In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII True, true, I use public keys all the time to login to my work computers from home. The question then remains as to how to disable an account. I understand that you can add entries to sshd_config, but that seems to create two locations for account control (passwd/shadow and sshd_config). The downside in my mind is additional burden on the admin to maintain all this. Is there an easier way? Cliff On Sat, 9 Mar 2002, William Rowden wrote: > Yesterday, C. Olmsted wrote: > > Or putting an exclamation point (!) at the start of the encoded > > passwd string in the shadow passwd file... > > This may work if RSA Authentication is disabled and the user has no > public keys in the account. Otherwise, the user could authenticate > using RSA public keys and use port forwarding with both exclamation > point in the password string shadow password file and /bin/false in > the password file. > > I "disabled" an account via `passwd -l`, checked for the exclamation > point in "/etc/shadow", and installed some public keys for which I > had the private keys. I was able to authenticate with an OpenSSH > server daemon (2.9p2) [1]. > > We don't use passwords for shell access on this particular host, > anyway. This requires trusting users to have good passphrases on > their private keys. Even if they don't, the key is elsewhere. > > > On Fri, 8 Mar 2002, Matt Barclay wrote: > > > Many folks will disable an account by setting the user's shell to > > > /bin/false. That prevents the user from logging in and executing a shell. > > > Well, SSH2 has a "-N" switch that says "don't execute a shell or a > > > command". It is useful if you are setting up SSH tunnels. The > > > combination of "-N" with forwarding will then allow the user, with > > > /bin/false as a shell, to authenticate with the SSHD server and port > > > forward to any machine anywhere. The forwarded packets will look like > > > they are coming from the SSHD server. I tested this by SSH'ing into a > > > friend's firewall and forwarding ports into his private LAN. > > > > > > So lesson learned: don't forget to list disabled accounts in sshd_config > > > using the DenyUsers directive. > > [1] I disabled UseLogin, but I should upgrade. I see that 3.1 is out now. > -- > -William > Get some rest. If you haven't got your health, you haven't got anything. > > .