You can put a "*" in the password field of the user and then it's a locked account, but pubkey will still work.

Yes, this works, I use it all the time. Just a note that the "*" needs to go in the /etc/shadow file, not in /etc/passwd.

There's no per-user config to specify what authentication methods are allowed. It's a global setting.

You can specify per user ssh config settings in $USER/.ssh/conifg file. The user's configuration file overwrites the system-wide configuration file (/etc/ssh/ssh_config) settings for that user. Make sure that $USER/.ssh/conifg is owned by $USER and perms are set to 600. For example you can add "PasswordAuthentication no" to $USER/.ssh/conifg and disable password auth for $USER, while leaving "PasswordAuthentication yes" (this is the default) in the system-wide configuration file (/etc/ssh/ssh_config). -Ross -----Original Message----- From: wlug-bounces@mail.wlug.org [mailto:wlug-bounces@mail.wlug.org] On Behalf Of Theo Van Dinter Sent: Friday, February 17, 2006 5:24 PM To: Worcester Linux Users Group Subject: Re: [Wlug] pubkey authentication in openssh On Fri, Feb 17, 2006 at 05:15:55PM -0500, Eric Stein wrote:

automated account: public key login only (no password authentication allowed - yeah, I know I can just set the password to something really big and hope nobody guesses, but the point of pub/priv key auth is higher security)

You can put a "*" in the password field of the user and then it's a locked account, but pubkey will still work. There's no per-user config to specify what authentication methods are allowed. It's a global setting. -- Randomly Generated Tagline: "Abnegation is un-American. We're going to drive the vehicle we want, wear what we want, consume as much as necessary, worship whomever we choose, and show as much cleavage as possible in beer commercials." - http://www.fool.com/News/Foth/2003/foth030203.htm?source=EDNWFH