Shell – Passwordless SSH for “System User” with NO Login Shell

Securityshellssh

I have learned a lot today messing around with ssh with RSA and creating system user accounts with no password, no login etc etc. What I was trying to do was create a user with a home directory needed for ~/.ssh/ and a password (needed for initial ssh setup)

But I can't seem to get it set-up correctly.

I know about using

ssh-keygen
ssh-copy-id user@remotehost

This is simple for RSA

and I know how to create a user with say

useradd -r newuser

adduser newuser --system --shell=/bin/false
passwd newuser
passwd -d newuser

The End Goal

is a user who doesn't have a shell, or atleast can't be logged into from a remote computer, but can still be used to ssh over to another computer and run a command. Is this even possible?
The REASON/GOAL

is to have a user whom when the ups runs low on power, shuts down the other connected computers via ssh before shutting down the main computer. (Only one computer can connect to the UPS via USB at a time to monitor the stats).

I don't want people to be able to log in via SSH with the username UPS, but I need ups to be able to ssh into remotehost without password.

Best Answer

Set the crypt field to * or to !! in /etc/shadow

# adduser tst  
# passwd -l tst
Locking password for user tst.
passwd: Success
# grep tst /etc/passwd
tst:x:1000:1000::/home/tst:/bin/bash
# grep tst /etc/shadow
tst:!!:17030:0:99999:7:::

At this point the user can not login because there's no valid password.

Now add a command="/thing/to/do" to the beginning of the public key in the authorized_keys file

# ls -l $PWD/authorized_keys 
-rw-r--r-- 1 tst tst 431 Aug 17 17:54 /home/tst/.ssh/authorized_keys

# cat $PWD/authorized_keys
command="/bin/echo hello" ssh-rsa AAAAB3NzaC1yc2E....etcetc

Now this key can be used, but the only thing it can be used for is that forced command:

$ ssh -i ~/.ssh/id_rsa tst@test1
hello
Connection to test1 closed.

If you try to do anything else it'll fail, and still force the same command

$ ssh -i ~/.ssh/id_rsa tst@test1 reboot 
hello
$

Related Solutions

Shell – SSH: “Permission denied” after changing user shell

As mentioned in the comments, you should add /usr/bin/git-shell to /etc/shells.

Ssh – Cannot login or ssh to non-admin Cygwin user this month but could last month and still can for other non-admin user

After further research (here and here) I'm inclined to think the issue is NOT with Cygwin but rather with Windows 10. A light-bulb turned on in my head when I was in User2's Windows account yesterday and noticed I could launch Task Manager without a UAC prompt--something I knew User1 was always prompted for post Windows 10 upgrade from Windows 8 (despite that upgrade taking place almost a year ago during the free upgrade to Win 10 promotion). I figured it was a Windows 10 thing and never thought twice. When I realized it was happening prompt-free for User2 and googled work-arounds to fix it for User1, I found I could use the same work-around for User1's Cygwin issue. It still doesn't answer how User1's account got messed up in the first place, nor how to actually fix it the correct way, but I'm satisfied with this work-around as I can now get my git changes done for User1.

TL;DR

WORK-AROUND:

Open command-line (CMD.EXE) and set this variable to stop getting the UAC pop-up prompt:


set __compat_layer=runasinvoker

From the same terminal the environment variable was set, launch Cygwin:


c:\cygwin64\bin\mintty.exe

To make this permanent for this user (and make the desktop icon work again)


setx __compat_layer "runasinvoker"

To make this permanent for all users machine-wide, open admin command-line, then:


setx /m __compat_layer "runasinvoker"

And finally, to access git without fixing Cygwin, install "Git Bash".

Caveat: With the User1 account still technically broken, I still cannot use ssh to login but I can at least get to local Cygwin Terminal as User1. Also this work-around does not fix ability to modify User1's Windows User Environment variables via sysdm.cpl GUI (still get UAC prompt and then after only shows Admin's ENV vars instead of User1's) but that's something for the Windows-related Stack Exchange forum now that I know this is a Windows account problem and not Cygwin's. And SETX allows altering user and machine ENV vars from command-line.

Best Answer

Related Solutions

Shell – SSH: “Permission denied” after changing user shell

Ssh – Cannot login or ssh to non-admin Cygwin user this month but could last month and still can for other non-admin user

Related Question