[CentOS] ultrasecure sshd server

[Les Mikesell]

On 6/10/11 10:48 AM, Eero Volotinen wrote:
> 2011/6/10 Les Mikesell<lesmikesell at gmail.com>:
>> On 6/10/2011 3:35 AM, Ljubomir Ljubojevic wrote:
>>> Robert Spangler wrote:
>>>> On Thursday 09 June 2011 17:34, the following was written:
>>>>
>>>>>    How to configure sshd to required both ssh public key and user
>>>>>    password also? yes, stupid, but required on my setup..
>>>>
>>>> Have you thought about securing your ssh keys with a pasword? I do that here
>>>> so if someone would happen to get a hold of my keys they still could not use
>>>> them.  I am guessing that is why you are looking for both keys and passwords.
>>>>
>>>>
>>> Not really. My view is so he can authenticate from his own PC without
>>> the need to type the password, but if he is on someone else's system he
>>> whould use regular password. That is what I would like to be able to do.
>>
>> That's just normal behavior when both are enabled.  If the key works,
>> you don't get the password prompt.  But even in the 'ultrasecure'
>> scenario of requiring both, do you really want people typing their
>> passwords on equipment that might have a keylogger running?
>
> Yes, because of compliancy requirements. ssh public key does not
> support expiring public keys. (maybe you can use cron job to delete too
> old public keys from server?)

You could do that - or disable the logins where old keys exist, but you'd need 
to keep your own database of old keys to check since they are appended in the 
file and you probably wouldn't trust the timestamp anyway.  And you'd need some 
way to fix the situation after the user is locked out.

How about running openvpn with client certs to get through a firewall, then ssh 
with passwords?  That could all run on the same box or you could only block port 
22 from 'outside' for more convenient access.

-- 
   Les Mikesell
    lesmikesell at gmail.com