#!/usr/bin/env -S generatorsh # $HeadURL$ $LastChangedRevision$ # vim: filetype=sh # Includes . $(miniade) || { echo "${0##*/}: ERROR: miniade failed (hint: run 'miniade' to see error)" >&2; exit 1; } main() { # Sanity checks and derivations [[ $HOST_OS =~ ^(debian10|debian11|debian12|debian13) ]] || miniade_error "$HOST_OS: invalid value for HOST_OS" # Guts # In May 2025, I modified my psrf configuration to create a file under /run/user/$UID. But # on farfalle that directory did not exist. It turned out that that directory is created by # PAM and that ssh-ing into a machine will only create it if 'UsePAM' is set in /etc/sshd_config. # The sshd_config man page is a little scary, seemingly suggesting that this might allow # password authentication, but ChatGPT reassures me that this is not the case: # # ... there's a clear distinction between authentication methods and PAM session hooks. # πŸ” Summary: # # UsePAM yes does not override AuthenticationMethods publickey β€” it just enables PAM for session/account management if authentication succeeds. # You can have UsePAM yes and still enforce public key-only login. # # 🧠 What’s happening under the hood: # # When UsePAM yes: # # PAM is involved in two places: # # Authentication (e.g. passwords, keyboard-interactive) # Session/account setup (e.g. pam_systemd.so, pam_limits.so) # # BUT: # # If AuthenticationMethods publickey is set, then only public key auth is allowed. # So PAM will not be used for authentication unless you include keyboard-interactive or password in AuthenticationMethods. # # βœ… Safe, secure setup (your case) # # If you want only public key auth, and you still want PAM to create /run/user/1000, you can do: # # UsePAM yes # AuthenticationMethods publickey # PasswordAuthentication no # KbdInteractiveAuthentication no # # That way: # # PAM is not used to check passwords or credentials. # PAM is used for session setup (e.g. pam_systemd.so), so /run/user/1000 works. # # This is a common setup on hardened systems using systemd. # # It also suggested a minimal stripped down config, which it based on my old config. I decided # to go with what it suggest, which is here. It's notes on this config were: # # UsePAM yes enables the PAM session stack (needed for /run/user/1000), not password login, since both PasswordAuthentication and KbdInteractiveAuthentication are disabled. # ChallengeResponseAuthentication no is also added to suppress any PAM challenge-response mechanisms. # You can remove KbdInteractiveAuthentication if it's not compiled in β€” but it's harmless to leave. # echo "# Only allow public key authentication" echo "AuthenticationMethods publickey" echo "PasswordAuthentication no" echo "KbdInteractiveAuthentication no" echo "ChallengeResponseAuthentication no" echo "UsePAM yes" echo echo "# Accept environment variables from client" echo "AcceptEnv LANG LC_*" echo echo "# Enable X11 forwarding if needed" echo "X11Forwarding yes" echo echo "# Allow TCP forwarding (for SSH tunnels, etc.)" echo "AllowTcpForwarding yes" echo echo "# Configure sftp subsystem" echo "Subsystem sftp /usr/lib/openssh/sftp-server" echo # Debian 13 complains when I try to set PubkeyAcceptedKeyTypes. if [[ $HOST_OS =~ ^debian(10|11|12)$ ]]; then echo "# Explicitly list accepted key types (optional but clear)" echo "PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512" echo elif [ $HOST_OS = debian13 ]; then : else miniade_error "$HOST_OS: unexpected value for HOST_OS" fi # Previously, virtualisation servers restricted login to root, but they're not LDAP clients # so I think this is superfluous. Besides which, there is no environment variable set by pcms # to indicate whether this restriction would be desired. #echo "AllowUsers root" } main "$@"