On Mon, Jul 1, 2013 at 6:24 PM, Grant <emailgr...@gmail.com> wrote: > My backup user needs a shell on the backup server in order to execute > rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in > order to SSH in. My authorized_keys file is locked-down. The second > field for the user in /etc/shadow is an exclamation point which I > think means the user can not log in with a password. Should I take > any additional steps to prevent that user from logging in and not > being subject to the authorized_keys restrictions?
There are a few distinct problems and solutions that come to mind. Here's my take as an uncertified non-expert: Problem: I want different SSHD config for different users Solution: use the "Match" directive in sshd_config (as Adam already pointed out) and enable or disable password authentication for users who are exceptions to the system-wide setting Problem: I don't want the backup user to be able to login using a password anywhere except ssh Solution 1: set the password to an * in /etc/shadow (disabled password login permanently) Solution 2: prefix the existing password with an ! in /etc/shadow (this disables pw login temporarily, remove the ! to restore the password) Solution 3: set the user's shell to /sbin/nologin in /etc/passwd Note: there are slight differences between these approaches, see "man 5 passwd" for details Problem: backup user should only be allowed to run the rsync command Solution 1: set a forced command in sshd_config for that user Solution 2: set a forced command in authorized_keys for that key I think if you combine that with what you've already done, that user should be well and truly locked down. That is based on using the standard Gentoo configuration... I'm sure there are 1000 different ways to do it and probably a lot of them better than what I suggested, so take it FWIW. :)
