Re: authorized_keys options for password access ??

Michael Gale wrote:
> Hello,
>
>     I have been able to restrict an account using options in the 
> authorized_keys file:
>
> --snip--
> from="*",command="/usr/local/bin/jcmenu",no-port-forwarding,no-X11-forwarding,no-agent-forwarding 
> ssh-rsa AAAA......
> --snip--
>
> However password based logins are currently allowed on the system and 
> can not be turned off :( Is there a way to have the above restrictions 
> in place regardless of the authentication method ?
>
> openssh-3.9p1-8.RHEL4.4

Not with that version.  You can disable some globally (eg X11Forwarding) 
but there's no equivalent to others (eg command=) there's no way to 
restrict individual users.

In current versions of OpenSSH there's an additional keyword "Match" 
that allows you to apply directives in sshd_config on a per-user (or per 
group or per host) basis.  There's also a new directive "ForceCommand" 
which is equivalent to the "command=" key restriction.

So assuming the user you want to restrict is "someuser", you could add 
this to the bottom of your sshd_config file:

Match User someuser
        ForceCommand /usr/local/bin/jcmenu
        AllowTcpForwarding no
        X11Forwarding no

There's no equivalent to "no-agent-forwarding" but it would not be hard 
to add.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.