<div dir="ltr"><p>I use PAM with ssh already and now just considering preventing the use of keys on internal Linux workstations, I'm going to do some more testing and see what works best, good to hear the view of others. </p>
<p>Just for info, on my externally facing servers I think the use of keys is more secure, I disable password authentication and have two ssh daemons - one for logging into from the outside that disables root log in and another ssh daemon that only allows local connections and allows you to become root. (all on non-standard ports)</p>
<p>Steve, can you elaborate on what a GPS is?<br></p><br><div class="gmail_quote">2008/9/17 Alain Williams <span dir="ltr"><<a href="mailto:addw@phcomp.co.uk">addw@phcomp.co.uk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d">On Tue, Sep 16, 2008 at 09:54:04PM +0100, Magnus Kelly wrote:<br>
<br>
</div><div class="Ih2E3d">> Then is it not possible to control which account the ssh key opens and<br>
> then force the user to su post login to a password protected account<br>
> that does not allow direct login - hence without the key you can't try<br>
> and login to the correct account that has the rights to perform the<br>
> legit remote process.<br>
<br>
</div>You could look at PAM. Put something appropriate into /etc/pam.d/sshd<br>
to limit what accounts someone can ssh in to. The user would then<br>
have to 'su' to get further.<br>
<br>
In /etc/ssh/sshd_config you can also control which accounts can be logged in to.<br>
<br>
PAM is prob more flexible ATM, although there is some work to make sshd<br>
do some of this itself.<br>
<font color="#888888"><br>
--<br>
</font><div class="Ih2E3d">Alain Williams<br>
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.<br>
+44 (0) 787 668 0256 <a href="http://www.phcomp.co.uk/" target="_blank">http://www.phcomp.co.uk/</a><br>
Parliament Hill Computers Ltd. Registration Information: <a href="http://www.phcomp.co.uk/contact.php" target="_blank">http://www.phcomp.co.uk/contact.php</a><br>
Chairman of UKUUG: <a href="http://www.ukuug.org/#include" target="_blank">http://www.ukuug.org/<br>
#include</a> <std_disclaimer.h><br>
<br>
_______________________________________________<br>
</div><div><div class="Wj3C7c">Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</div></div></blockquote></div><br></div>