Tell me more ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 4 down vote favorite

I have a debian box that I connect to via SSH. I have removed the password from the users root, and my personal account using the instructions here, and set up a public/private key pair so I can log in, but only if I have the private key.

I recently ran cat /etc/passwd in order to see what other users where on the system, and got a fair list back. So, how can I determine the password status for each user so that if I make the box public to the wider world (via ssh only), there are no other users that someone could use to authenticate with?

share|improve this question

2 Answers

up vote 6 down vote accepted

Probably you should look at sshd configuration.

There is an option to deny password authentication:

PasswordAuthentication no

and you can create a list of users that are allowed to connect via ssh:

AllowUsers cgoddard
share|improve this answer
up vote 2 down vote

The "fair list" of users you get back are probably just system users, i.e., users created to own some service (having e.g. apache running as a separate user helps limiting the damage it could do to others if it goes crazy or is subverted). They probably have impossible passwords (here in Fedora 18 I have for example in /etc/shadow the entry bin:*:15209:0:99999:7:::, as * is not the hash of any password, there is no way to log in as user bin; note that /etc/shadow is root-only read for security reasons).

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.