Hi,
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
-- Eero
Am 09.06.2011 um 23:34 schrieb Eero Volotinen:
Hi,
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Used google lately? http://www.google.com/search?client=safari&rls=en&q=sshd+key+passwor... =psy&hl=en&client=safari&rls=en&source=hp&q=ssh+key+and +password&aq=f&aqi=&aql=&oq=&pbx=1&bav=on. 2,or.r_gc.r_pw.&fp=b9cfb64a5f16eb0c&biw=1444&bih=948
That's for accelerating my pulse for two seconds.
2011/6/10 Rainer Duffner rainer@ultra-secure.de:
Am 09.06.2011 um 23:34 schrieb Eero Volotinen:
Hi,
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Used google lately? http://www.google.com/search?client=safari&rls=en&q=sshd+key+passwor... =psy&hl=en&client=safari&rls=en&source=hp&q=ssh+key+and +password&aq=f&aqi=&aql=&oq=&pbx=1&bav=on. 2,or.r_gc.r_pw.&fp=b9cfb64a5f16eb0c&biw=1444&bih=948
That's for accelerating my pulse for two seconds.
Well, some say that it's possible with pam hacks.
main problem is that openssh public key does not contains expiry information (is not possible to expire public keys). it migth be possible with openssh certificates?
-- Eero
Am 10.06.2011 um 00:02 schrieb Eero Volotinen:
Well, some say that it's possible with pam hacks.
main problem is that openssh public key does not contains expiry information (is not possible to expire public keys). it migth be possible with openssh certificates?
As I understand it (following the arstechnica link, then using the RequiredAuthentication keyword as a new search term) - it's only impossible with openssh.
2011/6/10 Rainer Duffner rainer@ultra-secure.de:
Am 10.06.2011 um 00:02 schrieb Eero Volotinen:
Well, some say that it's possible with pam hacks.
main problem is that openssh public key does not contains expiry information (is not possible to expire public keys). it migth be possible with openssh certificates?
As I understand it (following the arstechnica link, then using the RequiredAuthentication keyword as a new search term) - it's only impossible with openssh.
So, this requires ssh.com (tectia) client and server? commercial version?
-- Eero
2011/6/10 Eero Volotinen eero.volotinen@iki.fi:
2011/6/10 Rainer Duffner rainer@ultra-secure.de:
Am 10.06.2011 um 00:02 schrieb Eero Volotinen:
Well, some say that it's possible with pam hacks.
main problem is that openssh public key does not contains expiry information (is not possible to expire public keys). it migth be possible with openssh certificates?
As I understand it (following the arstechnica link, then using the RequiredAuthentication keyword as a new search term) - it's only impossible with openssh.
So, this requires ssh.com (tectia) client and server? commercial version?
-- Eero
Looks like there is patch for openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=983
-- Eero
At Fri, 10 Jun 2011 00:34:06 +0300 CentOS mailing list centos@centos.org wrote:
Hi,
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Just require a ssh public key AND require that public keys be created with a passphrase.
-- Eero _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Jun 09, 2011 at 08:53:30PM -0400, Robert Heller wrote:
Just require a ssh public key AND require that public keys be created with a passphrase.
Is this enforceable if you don't have access to users' private keys? (e.g., they are on servers not under your control)
--keith
2011/6/10 Robert Heller heller@deepsoft.com:
At Fri, 10 Jun 2011 00:34:06 +0300 CentOS mailing list centos@centos.org wrote:
Hi,
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Just require a ssh public key AND require that public keys be created with a passphrase.
This is not same case, I need publickey and normal password authentication. not password protected privatekey.
-- Eero
On 6/10/11, Eero Volotinen eero.volotinen@iki.fi wrote:
This is not same case, I need publickey and normal password authentication. not password protected privatekey.
How about using the ForceCommand described here https://calomel.org/openssh.html to add a second layer of authentication. In his case, he used a date related question but it should be possible to run a script checking for a normal login password?
On 06/09/11 8:59 PM, Eero Volotinen wrote:
This is not same case, I need publickey and normal password authentication. not password protected privatekey.
I've not heard of *any* SSH system that worked that way, its key or password, not and, i don't think the ssh protocol supports stacking auth methods like that.
2011/6/10 John R Pierce pierce@hogranch.com:
On 06/09/11 8:59 PM, Eero Volotinen wrote:
This is not same case, I need publickey and normal password authentication. not password protected privatekey.
I've not heard of *any* SSH system that worked that way, its key or password, not and, i don't think the ssh protocol supports stacking auth methods like that.
looks like tectia ssh supports and openssh also with patch.
I think I can resolve issue by patching openssh-server.
-- Eero
On 06/09/11 10:53 PM, Eero Volotinen wrote:
2011/6/10 John R Piercepierce@hogranch.com:
On 06/09/11 8:59 PM, Eero Volotinen wrote:
This is not same case, I need publickey and normal password authentication. not password protected privatekey.
I've not heard of *any* SSH system that worked that way, its key or password, not and, i don't think the ssh protocol supports stacking auth methods like that.
looks like tectia ssh supports and openssh also with patch.
I think I can resolve issue by patching openssh-server.
and most SSH clients will play along with being asked for multiple authentication methods sequentially?
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Robert Spangler wrote:
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
Ljubomir
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
That is possible for the root-Account. You can allow sshd to log you in as root via public key without forcing you to login as an unprivileged user first. You can do this by changing your sshd_config: PermitRootLogin without-password
I am not sure if this is possible for regular logins too. Sorry.
On 10.6.2011 10:35, Ljubomir Ljubojevic wrote:
Robert Spangler wrote:
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
And why are you not able to ? Standard ssh setup falls back to password authentication if no key available.
If you dont want type password every time use ssh-agent (there is a aequivalent thing in windows provided by putty I think but forgot its name). You will need to type the passphrase only once.
Markus Falb wrote:
On 10.6.2011 10:35, Ljubomir Ljubojevic wrote:
Robert Spangler wrote:
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
And why are you not able to ? Standard ssh setup falls back to password authentication if no key available.
If you dont want type password every time use ssh-agent (there is a aequivalent thing in windows provided by putty I think but forgot its name). You will need to type the passphrase only once.
I should have been little more precise. The truth is I never found time to try/solve it, always something else to do. But I *would* like to set it up. I already have direct root access to my units via ssh, and I have denyhosts guarding me from crackers, so it is not something I can not live without.
Ljubomir
On 6/10/2011 3:35 AM, Ljubomir Ljubojevic wrote:
Robert Spangler wrote:
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
2011/6/10 Les Mikesell lesmikesell@gmail.com:
On 6/10/2011 3:35 AM, Ljubomir Ljubojevic wrote:
Robert Spangler wrote:
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
Yes, because of compliancy requirements. ssh public key does not support expiring public keys. (maybe you can use cron job to delete too old public keys from server?)
-- Eero
On 6/10/11 10:48 AM, Eero Volotinen wrote:
2011/6/10 Les Mikeselllesmikesell@gmail.com:
On 6/10/2011 3:35 AM, Ljubomir Ljubojevic wrote:
Robert Spangler wrote:
On Thursday 09 June 2011 17:34, the following was written:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords.
Not really. My view is so he can authenticate from his own PC without the need to type the password, but if he is on someone else's system he whould use regular password. That is what I would like to be able to do.
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
Yes, because of compliancy requirements. ssh public key does not support expiring public keys. (maybe you can use cron job to delete too old public keys from server?)
You could do that - or disable the logins where old keys exist, but you'd need to keep your own database of old keys to check since they are appended in the file and you probably wouldn't trust the timestamp anyway. And you'd need some way to fix the situation after the user is locked out.
How about running openvpn with client certs to get through a firewall, then ssh with passwords? That could all run on the same box or you could only block port 22 from 'outside' for more convenient access.
Les Mikesell wrote:
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
One scenario is business customers I maintain. They are almost all on my network, and I have servers I maintain/admin 400 km away that are not mine. When I am logged there, or on-site, I often need to pull some data from my main server. Sometimes FTP is enough, but sometimes I need to use SFTP or SCP to access sensitive scripts, or to login (when I am on-site on far away network).
How do you propose that I use key only auth? to copy my sensitive key onto their system? Or is it better to in that case just use password auth? I avoid using my passwords on infected systems, or without proper protection, but on safe systems it is better to use passwords then keys.
And of course, I have a brother with root access that does not own a laptop. And if I even tried to force him to use keys for every connection, I would have blue eye in matter of days ;-)
Ljubomir
On Jun 10, 2011, at 12:04 PM, Ljubomir Ljubojevic wrote:
Les Mikesell wrote:
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
One scenario is business customers I maintain. They are almost all on my network, and I have servers I maintain/admin 400 km away that are not mine. When I am logged there, or on-site, I often need to pull some data from my main server. Sometimes FTP is enough, but sometimes I need to use SFTP or SCP to access sensitive scripts, or to login (when I am on-site on far away network).
How do you propose that I use key only auth? to copy my sensitive key onto their system? Or is it better to in that case just use password auth? I avoid using my passwords on infected systems, or without proper protection, but on safe systems it is better to use passwords then keys.
And of course, I have a brother with root access that does not own a laptop. And if I even tried to force him to use keys for every connection, I would have blue eye in matter of days ;-)
---- put your private key(s) on a USB flash drive and use the '-i' option w/ ssh
Heavily recommend that you use passwords to protect your keys though
Craig
On 6/10/2011 2:09 PM, Craig White wrote:
On Jun 10, 2011, at 12:04 PM, Ljubomir Ljubojevic wrote:
Les Mikesell wrote:
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
One scenario is business customers I maintain. They are almost all on my network, and I have servers I maintain/admin 400 km away that are not mine. When I am logged there, or on-site, I often need to pull some data from my main server. Sometimes FTP is enough, but sometimes I need to use SFTP or SCP to access sensitive scripts, or to login (when I am on-site on far away network).
How do you propose that I use key only auth? to copy my sensitive key onto their system? Or is it better to in that case just use password auth? I avoid using my passwords on infected systems, or without proper protection, but on safe systems it is better to use passwords then keys.
And of course, I have a brother with root access that does not own a laptop. And if I even tried to force him to use keys for every connection, I would have blue eye in matter of days ;-)
put your private key(s) on a USB flash drive and use the '-i' option w/ ssh
Heavily recommend that you use passwords to protect your keys though
If you knew someone was going to do that on a machine you controlled, would you be able to capture both the key and the password keystrokes?
A one-time password might be a better approach. We use juniper's ssl vpn with keyfob cryptocards for remote connections but another part of the company maintains it and I don't know what it costs.
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
If you want 2 factor authentication, you can add yubikeys. They are little usb dongle that provides one-time-password. And the server-side for those is open-source if you don't want to use their authentication servers. And they are relatively cheap.
We use these here on our border servers to increase security.
Regards,
2011/6/10 Nicolas Ross rossnick-lists@cybercat.ca:
How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup..
If you want 2 factor authentication, you can add yubikeys. They are little usb dongle that provides one-time-password. And the server-side for those is open-source if you don't want to use their authentication servers. And they are relatively cheap.
We use these here on our border servers to increase security.
is this easy to ingrate with openssh server on centos 5.x ?
-- Eero
If you want 2 factor authentication, you can add yubikeys. They are little usb dongle that provides one-time-password. And the server-side for those is open-source if you don't want to use their authentication servers. And they are relatively cheap.
We use these here on our border servers to increase security.
is this easy to ingrate with openssh server on centos 5.x ?
There is 2 rpm in epel (libyubikey and pam_yubico) that make it pretty easy to integrate into openssh (via pam).
Another option that you might want to look at is putting up an OpenBSD gateway running authpf (see http://www.openbsd.org/faq/pf/authpf.html).
The model there is an outside user has to open up an ssh shell to the authpf gateway before they are allowed to access services inside the network. If their gateway shell goes away, so does their access. If you require password / secure token / whatever auth on the gateway, then you do that once and then you can use ssh-key auth to get to your inside machines as much as you'd like.
Authpf can be used to allow/restrict access to arbitrary network services; it's not limited to just ssh. The shell the user gets on the authpf gateway is not usable for anything else; it just sits there until the user logs out, so it can't be used to crack the gateway or internal machines.
Devin
Devin Reade wrote:
Another option that you might want to look at is putting up an OpenBSD gateway running authpf (see http://www.openbsd.org/faq/pf/authpf.html).
The model there is an outside user has to open up an ssh shell to the authpf gateway before they are allowed to access services inside the network. If their gateway shell goes away, so does their access. If you require password / secure token / whatever auth on the gateway, then you do that once and then you can use ssh-key auth to get to your inside machines as much as you'd like.
Authpf can be used to allow/restrict access to arbitrary network services; it's not limited to just ssh. The shell the user gets on the authpf gateway is not usable for anything else; it just sits there until the user logs out, so it can't be used to crack the gateway or internal machines.
That is not something to strive for. What about my WISP network? how would I protect multiple systems not at the single location and with multiple incoming paths? Adding another box it worst of all options.
Ljubomir
--On Friday, June 10, 2011 08:55:47 PM +0200 Ljubomir Ljubojevic office@plnet.rs wrote:
Devin Reade wrote:
Another option that you might want to look at is putting up an OpenBSD gateway running authpf (see http://www.openbsd.org/faq/pf/authpf.html).
[snip]
That is not something to strive for.
Depends on the requirements.
What about my WISP network? how would I protect multiple systems not at the single location and with multiple incoming paths? Adding another box it worst of all options.
The OP (to which I was responding) didn't say anything about such a configuration. I'm not suggesting that authpf solves all the world's problems. Would one gateway protect disjoint networks? No. But on the other hand, multihomed networks are just fine.
Having lots of tools in your toolbox lets you pick the best one for the job. If it's not the right tool, don't use it. But that doesn't reflect on the tool, just on it's applicability to the task at hand.
Devin
2011/6/10 Devin Reade gdr@gno.org:
--On Friday, June 10, 2011 08:55:47 PM +0200 Ljubomir Ljubojevic office@plnet.rs wrote:
Devin Reade wrote:
Another option that you might want to look at is putting up an OpenBSD gateway running authpf (see http://www.openbsd.org/faq/pf/authpf.html).
[snip]
That is not something to strive for.
Depends on the requirements.
Adding more boxes to network and still not resolving the original problem is not really good way.
-- Eero
-
Craig White -
Daniel Heitmann -
Devin Reade -
Eero Volotinen -
Emmanuel Noobadmin -
John R Pierce -
Keith Keller -
Les Mikesell -
Ljubomir Ljubojevic -
Markus Falb -
Nicolas Ross -
Rainer Duffner -
Robert Heller -
Robert Spangler