Passwordless SSH for "System User" with NO Login Shell
Set the crypt field to *
or to !!
in /etc/shadow
eg
# adduser tst
# passwd -l tst
Locking password for user tst.
passwd: Success
# grep tst /etc/passwd
tst:x:1000:1000::/home/tst:/bin/bash
# grep tst /etc/shadow
tst:!!:17030:0:99999:7:::
At this point the user can not login because there's no valid password.
Now add a command="/thing/to/do"
to the beginning of the public key in the authorized_keys
file
eg
# ls -l $PWD/authorized_keys
-rw-r--r-- 1 tst tst 431 Aug 17 17:54 /home/tst/.ssh/authorized_keys
# cat $PWD/authorized_keys
command="/bin/echo hello" ssh-rsa AAAAB3NzaC1yc2E....etcetc
Now this key can be used, but the only thing it can be used for is that forced command:
$ ssh -i ~/.ssh/id_rsa tst@test1
hello
Connection to test1 closed.
If you try to do anything else it'll fail, and still force the same command
$ ssh -i ~/.ssh/id_rsa tst@test1 reboot
hello
$