I am setting up a publicly exposed ssh server. I would like to require both password and private key. Does anyone know how to configure this?
Thanks,
I am setting up a publicly exposed ssh server. I would like to require both password and private key. Does anyone know how to configure this?
Thanks,
Setting up public key authentication over SSH
The trick is in that first step with ssh-keygen: if you provide a passphrase, anyone logging in will need both (a) the generated keys and (b) the passphrase. If you leave the passphrase blank, anyone with the key set up correctly can go in with a passwordless login.
Interesting question. Most people ask the opposite: “I’m trying to do password-less SSH, and it keeps asking for a password anyway!” … and the answer is, “you used a passphrase with ssh-keygen!”
That definately helps. But…I want to use the LDAP user and password and require a private key. So each user has a different login, rather than a common login.
Any other thoughts on that?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think there may be some confusion on the private key functionality. You
could, in theory, use one private key for every user but that does not
make sense really since the purpose of the private key is to be private
(per user). When it is lost or needs to be changed you remove the
corresponding public key (on the server side) and issue a new keypair
(public to server, private to client) and that is the unique
identification. If you try what you are suggesting then you will be using
the strong security for the unimportant task (get everybody in) and the
weak security for the important task (becoming a specific user).
With all of that said you COULD hack around this by giving everybody the
same private key (bleh) and having them SSH in as a generic user and then
once in you can have them su or sudo to their desired user using the
system’s password. It’s not really the best way to doing things since any
compromise of the private key by any one of your many users will mean you
now need to send out a new key to EVERY user… but if that’s what you
really want I guess it could work.
Good luck.
jkeen871 wrote:
> That definately helps. But…I want to use the LDAP user and password
> and require a private key. So each user has a different login, rather
> than a common login.
>
> Any other thoughts on that?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJLO4mHAAoJEF+XTK08PnB5HvYP/jb2SmRGcibCTJuCR2JikByJ
iSFWF45haotyRhDsuaF2Ie1HVaZWO0a9s0Gu2eYkp4D8QAJc1eYZKBeAJJNQh1TV
If/y0pGGSC5ozoeHLI+qwNYFQhzklM4J1TKPvw4pyRcee6o6JCTzw0m8QkLnoY4P
h3t5bXLO7HM2CtP+YnMeRA+gQTWAR0FWgKWnPuxQtbiET5P5AkQETRCL6Hrk+RRz
/QrQ9dDeqJq+Ynxx8H3deMbGXd6XwBSipwKOIzq1caaHRnBgpbhajZ/VMsrd7YQ8
EQpqsRmLTTibHDiv8ZC7K1i/Nu9JZCHoDsGWLE7sVdnDAq7BlRoYJwLYhcoHXha7
cnrGtIPW4tmtuY0lJNY7Htpal+NzSwFdwObEdYvqwxI5JEzuioJxWbT1DOiBVXo5
mN3kDaUgsku1Ij5c5bEdZ5sA5jtH7wSjqvYBQ7aMuvMSScFCRqiI3auTBEKxOHds
/qk5LMKLdXCKkgs4aE5aYVkCrWVEByoHLGCy4b0/KCZHZEmxYuM0C0NU8ItzvJ2A
bZ9ecavD7QecktpBRhw/cfo1Pw8Yz5B3+wmLGR3N8d1rAF7/lHz41OO2r4Bhipr6
MbYokcYMaRIFgaZhPzo44RjirezDtesHdX5IU7oYI9WUoNX+qoNMWZpnFtlGhJSR
cVlJEIUt6oPl1tmJwePn
=DUmu
-----END PGP SIGNATURE-----
Why do you want to do this? Why not give each person their own key with a passphrase? The person can even change their passphrase at will.
The key pair doesn’t have to be generated by the user. Any computer can be used to generate it, but you may have to change the label which defaults to the host generating the key so that it gives the right prompt when used.