wood burning stoves 2.0*
The moose likes Linux / UNIX and the fly likes Passwordless access for sudo user Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "Passwordless access for sudo user" Watch "Passwordless access for sudo user" New topic
Author

Passwordless access for sudo user

Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2

On my Raspberry Pi, I'm trying to do the following:

(1) Allow passwordless access for a user (UserA) that has sudo controls (used ssh-keygen) and uploaded the public key

That works fine. Now what I want to do is that I want to allow other users (UserB, UserC and so on) that are not in the sudo group to log into the system using a normal password. But when I try to log in as another user, it says public key permission denied. I understand that it is trying to look for the public key in the hole folder of the other user (UserA). But how do I control this? I want to ssh log in as other users from any machine just by using a password. Can anyone throw some light on this please?

SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

I assume you have created accounts for UserB, UserC etc. If so then you should not need to do anything more! From the remote computer UserB just needs to use

ssh UserB@pi_hostname

and he will then asked type in his account password. Note - the first time he logs in through SSH he will also be asked to confirm the fingerprint of the PI certificate.

Of course password based user authentication for SSH is not very secure and one should always use certificate based authentication for both client and server.

Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2

Richard Tookey wrote:I assume you have created accounts for UserB, UserC etc. If so then you should not need to do anything more! From the remote computer UserB just needs to use

ssh UserB@pi_hostname

and he will then be asked to type in his account password.



There is where the problem is! ssh UserB@pi_hostname fails to log in with Permission Denied (Public Key).
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2

What I want is that UserB logs in with his password and not with the certificate!
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Joe Harry wrote:What I want is that UserB logs in with his password and not with the certificate!


As I already said - as long as he has an account on the PI he does not need to use a certificate! He just needs his PI account password!
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2

Richard Tookey wrote:
Joe Harry wrote:What I want is that UserB logs in with his password and not with the certificate!


As I already said - as long as he has an account on the PI he does not need to use a certificate! He just needs his PI account password!


Hmm...what I failed to mention is that sshd_config is configured for PasswordAuthentication no. Is there a way to override this so that UserB logs in with his password?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

My PI has the default Debian sshd_config file and this does not have 'PasswordAuthentication no'. I assume that you do not want to change that to 'yes' so what would be the point if the authentication options which say 'no' could be ignored?

Out of interest - why don't you want to allow certificate based authentication? Certificate based authentication is much more secure than password based authentication and much easier to use.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2

Richard Tookey wrote:My PI has the default Debian sshd_config file and this does not have 'PasswordAuthentication no'. I assume that you do not want to change that to 'yes' so what would be the point if the authentication options which say 'no' could be ignored?


I definitely do not want to change it to yes, but what I want is that PasswordAuthentication no applies only for sudo user and for everyone else that does not belong to the sudo group, I want this to be yes!

Richard Tookey wrote:
Out of interest - why don't you want to allow certificate based authentication? Certificate based authentication is much more secure than password based authentication and much easier to use.


For the simple scenario of my home based RasPi, I do not want it that way. It definitely is a good idea, I might give it a try!
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Joe Harry wrote:
Richard Tookey wrote:My PI has the default Debian sshd_config file and this does not have 'PasswordAuthentication no'. I assume that you do not want to change that to 'yes' so what would be the point if the authentication options which say 'no' could be ignored?


I definitely do not want to change it to yes, but what I want is that PasswordAuthentication no applies only for sudo user and for everyone else that does not belong to the sudo group, I want this to be yes!

I'm pretty sure that SSH cannot be configured to examine the 'sudoers' file and if it could it would have to look at the detail of the 'sudoers' file because not all sudoers are born equal. Presumably you have set your UserB, UserC etc as sudoers so that they can access the PI's GPIO . It should be possible to limit each sudoer to only have root access to the the GPIO and no other root features. I have never needed to do this since I am the only person who accesses my PI but if I can find the time I will have a look at this this evening.


Richard Tookey wrote:
Out of interest - why don't you want to allow certificate based authentication? Certificate based authentication is much more secure than password based authentication and much easier to use.


For the simple scenario of my home based RasPi, I do not want it that way. It definitely is a good idea, I might give it a try!


Other than on the PI I never allow password based SSH on any of the computers I have any control over. I allow it on the PI because I forgot to dis-allow it . This evening I shall definitely dis-allow it!

Setting up SSH for certificate based authentication is trivial. On his/her client computer each user uses ssh-keygen to generate an RSA or DSA key pair and passes you the public key file (by email, floppy, memory stick, cd and even FTP (urgh)) and you append it's contents to the user's SSH authorized_keys file on the PI. Job done. If UserB, UserC etc are Windows based and using Putty they can generate the key pair using Putty; I can't remember the command (I mainly use Linux for SSH) but I do remember it is very easy.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2


Setting up SSH for certificate based authentication is trivial. On his/her client computer each user uses ssh-keygen to generate an RSA or DSA key pair and passes you the public key file (by email, floppy, memory stick, cd and even FTP (urgh)) and you append it's contents to the user's SSH authorized_keys file on the PI. Job done. If UserB, UserC etc are Windows based and using Putty they can generate the key pair using Putty; I can't remember the command (I mainly use Linux for SSH) but I do remember it is very easy.


Looks like I did not explain properly what I did originally. So here it is:

On my local machine, I ran the ssh-keygen and generated a key pair. Used ssh-copy-id to copy the public key to my remote RasPi. Then I modified the sshd_config for PasswordAuthentication no. So far all good.

I have two users, UserA and UserB. UserA is the default user that ships with the Pi (the pi user). It belongs to the sudo user group. I created another user UserB and added this user to all the groups other than the sudo user group. What I want to acheive now is that, for UserB, I do not want certificate based login, but rather I want UserB to give his password when he logs in remotely using SSH. When UserA logs in, he must be authenticated against the certificate (passwordless).

What is happening now is that even UserB is authenticated against the certificate. How to avoid this and make UserB provide a password when logging in remotely using SSH.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Joe Harry wrote:
Looks like I did not explain properly what I did originally. So here it is:

On my local machine, I ran the ssh-keygen and generated a key pair. Used ssh-copy-id to copy the public key to my remote RasPi. Then I modified the sshd_config for PasswordAuthentication no. So far all good.

I have two users, UserA and UserB. UserA is the default user that ships with the Pi (the pi user). It belongs to the sudo user group. I created another user UserB and added this user to all the groups other than the sudo user group. What I want to acheive now is that, for UserB, I do not want certificate based login, but rather I want UserB to give his password when he logs in remotely using SSH. When UserA logs in, he must be authenticated against the certificate (passwordless).

What is happening now is that even UserB is authenticated against the certificate. How to avoid this and make UserB provide a password when logging in remotely using SSH.


I understood that and have said that I don't think having turned off password authentication for ALL users you can then override that for a particular user. I would go so far as to say this would be insecure. I find it hard to understand why UserB cannot use certificate based authentication since UserA is already doing it and since it is trival to set up.

I hope the statement " I created another user UserB and added this user to all the groups other than the sudo user group." is an exaggeration since this would defeat the object of having groups! Groups are used to restrict access and this would remove most restrictions.

Maybe you could explain why you need UserB to authenticate using his password and not use certificate based authentication.
Joe Harry
Ranch Hand

Joined: Sep 26, 2006
Posts: 9345
    
    2

I would need to have the possibility to log-in to my RasPi from another computer. The user that has sudo access will be restricted and he can log-in only from that one computer where the private key is. Does this argument makes sense?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Joe Harry wrote:I would need to have the possibility to log-in to my RasPi from another computer. The user that has sudo access will be restricted and he can log-in only from that one computer where the private key is. Does this argument makes sense?


No it does not make sense. Typically for the PI the sudo user has infinite power so he can append as many certificates as he want to his own authorised_keys file so allowing him to access the PI from any computer. Even if you restrict the access by the prime user using the .rhosts and .shosts files or by changing any of the SSH configuration parameters the prime user can just edit these file to change the settings.

I configured my PI in the first place using a separate Monitor, Mouse and Keyboard. Once setup I removed all these and now only access the PI using SSH with certificate based authentication. I added a second user and he can only access the PI using SSH with certificate based authentication. The second user has been added to the sudoers file but with the restriction that can only restart the Apache HTTP server and the Tomcat server.

The second user can access the PI from any computer on which he has generated a key pair and appended the certificate to his authorised_keys file.
 
Don't get me started about those stupid light bulbs.
 
subject: Passwordless access for sudo user
 
Similar Threads
How encrpyt all files on web server so decryptable by all users' keys?
linux ssh help
ssh-agent
Need Unix/ssh help
web interface to a linux server