These forums are read-only!
SSH Prevents "System" User From Logging In?
-
I'm running into an issue where a user, created with the "--system" flag to the "adduser" command, cannot SSH into the system. I'm doing this, as per the specifications for the setup of "gitosis":http://scie.nti.st/2007/11/14/hosting-git-repositories-the-easy-and-secure-way/ . I get a permission denied message. Following the same configuration, but not specifying "--system" for the user makes everything work. I am also specifying "--disable-password". The goal of all this is to setup a user that can only SSH in via public key, and that can only run one command (so the user's authorized_keys2 file has a "comand=" portion to it as well). So a few questions:
* My understanding (limited) of what "--system" does it say that the user cannot do an interactive login. It appears for gitosis they specify this to add that level of security, and help ensure that someone can't use this user interactively, etc.
* I am wondering if there is some SSH configuration aspect that denies any and all SSH for "system" users, and that's why I'm running into this problem? Obviously plenty of other people are using it this way, so either it's an SSH configuration aspect or something specific to my system setup.
* Has anyone else set this kind of thing up in general? Any issues/tips/tricks?
* Or has anyone setup gitosis the same way the above link mentions, on an Ubuntu slice? -
On the gitosis setup page you provided, the guy says he's using Ubuntu. Are you using that as well?
I'm on Fedora, and when I add --system to a useradd command it says invalid argument. I can't find a man page with it either. Can you paste the part of the man page with --system in it? -
Yes, I'm running Ubuntu 7.10. Here's the section from the adduser manpage:
Add a system user
If called with one non-option argument and the --system option, adduser will add
a system user. If a user with the same name already exists in the system uid
range (or, if the uid is specified, if a user with that uid already exists),
adduser will exit with a warning.
adduser will choose the first available UID from the range specified for system
users in the configuration file. The UID can be overridden with the --uid
option.
By default, system users are placed in the nogroup group. To place the new sys-
tem user in an already existing group, use the --gid or --ingroup options. To
place the new system user in a new group with the same ID, use the --group
option.
A home directory is created by the same rules as for normal users. The new sys-
tem user will have the shell /bin/false (unless overridden with the --shell
option), and have logins disabled. Skeletal configuration files are not copied. -
I don't believe this is directly configurable behavior for SSHD. However, you can configure SSHD to use PAM for authentication. If UsePAM is 'yes', then this may be a system-level restriction, perhaps defined somewhere in /etc/pam.d. Do you really need this to be a system account?
-
Linux system users CAN log in without restriction, but the one you created can't since it doesn't have a shell that allows interaction:
Try creating your user as follows:The new system user will have the shell /bin/false (unless overridden with the --shell
option), and have logins disabled.adduser username --system --disabled-password --shell /bin/shDrop your keys into place and give it a shot... it should work. Technically speaking, your system user does have a shell "/bin/false", which returns false and immediately terminates. The result is that you in fact are logging in, but are immediately and forcibly logged out as "/bin/false" terminates. You can replace "/bin/sh" with most any other command. You could (and maybe should) change the shell to the single command you wish to run on login, which restricts the user to that one command. It would also result in a forced logout immediately after that command terminates without need for a manual logout. -
The user does have --shell. Here's the precise adduser command that was used:
bq. sudo adduser --system --shell /bin/sh --gecos 'git version control' --group --disabled-password --home /home/git git -
Ok, my bad, I should have taken a look at the site that you referenced before assuming.. That command looks good, and works fine on my test slice to boot. You might want to check the ownership and permissions on your key file to ensure the git user can actually read it.. Are you using a non-standard SSH port on the server? You might possibly need to tell your SSH client about it if you aren't using 22...?
-
I've looked at the /home/git/.ssh/authorized_keys2 file, and the proper key is in there. I should note, the git command that set that up originally created "authorized_keys", which I've tried, but since normally I have "authorized_keys2" for all other users, I tried that as well (and I have my SSHD config set to only allow 2).
Categories
- All Discussions5,068
- Can Someone Help Me...2,020
- Check This Out232
- Code Exchange29
- Distribution Specific69
- Gigs and Project Work97
- Heads Up125
- Migration to Rackspace Cloud54
- Python Zone33
- Ruby + Rails303
- Scaling and Performance311
- Slice Setup1,507
- Sliceteam1
- Why Should I Trust You Guys?98
- You Guys Really Should...189