I've written a script to add CVS and SVN users on a Linux server (Slackware 14.0). This script creates the user if necessary, and either copies the user's SSH key from an existing shell account or generates a new SSH key.
Just to be clear, the accounts are specifically for SVN or CVS. So the entry in /home/${username}/.ssh/authorized_keys begins with (using CVS as an example):
command="/usr/bin/cvs server",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ....etc...etc...etc...
Actual shell access will never be allowed for these users - they are purely there to provide access to our source repositories via SSH.
My problem is that when I add a new user, they get an empty password in /etc/shadow by default. It looks like:
paddycvs:!:15679:0:99999:7:::
If I leave the shadow file as is (with the !), SSH authentication fails. To enable SSH, I must first run passwd for the new user and enter something.
I have two issues with doing that. First, it requires user input which I can't allow in this script. Second, it potentially allows the user to login at the physical terminal (if they have physical access, which they might, and know the secret password -- okay, so that's unlikely).
The way I normally prevent users from logging in is to set their shell to /bin/false, but if I do that then SSH doesn't work either!
Does anyone have a suggestion for scripting this? Should I simply use sed or something and replace the relevant line in the shadow file with a preset encrypted secret password string? Or is there a better way?
Cheers =)
Answer
To avoid problems with locking, or messing up your shadow file, you could conceivably use
echo username:some_string | chpasswd
More specifically: you could actually use the * in the password field by doing this:
echo "username:*" | chpasswd -e
No comments:
Post a Comment