[Gllug] Selective SSH logins

John Winters john at sinodun.org.uk
Tue Aug 26 12:09:40 UTC 2008

Garry Heaton wrote:
> Anyone know how to restrict SSH password logins to one account while 
> retaining key authentication for everything else? The only server-wide 
> options I can see are:
> PubKeyAuthentication yes/no
> PasswordAuthentication yes/no
> I want to have everybody using key authentication but retain one password 
> login in case something goes wrong with the keys.

The problem with that is you've immediately compromised your security by
allowing access to anyone who can brute-force the password.

What are you worrying might happen to the keys?  They don't rot you
know.  Your only possible problem is if you mangle authorized_keys on
the server or accidentally delete your local copy of the private key on
your client machine.  To guard against the latter, keep backups, and the
way I've handled the former problem in the past is to have one account
on the server which is used *only* for emergency ssh access.  It still
needs public key authentication, but because the account is used for
absolutely nothing else there is no danger of accidentally deleting its
authorized_keys file.  (Unless you type "rm -rf /" as root, but if you
do that then you've got bigger problems.)

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list