[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

bob+kwlug at softscape.ca bob+kwlug at softscape.ca
Wed Oct 5 11:25:58 EDT 2016


It sounds as though you are trying to implement something akin to a client certificate. Ie: the ssh server needs to know you are a "good guy" before it will even ask you to present a password.

Is that the case?

If so, perhaps ssh keys are not really the mechanism you want to use. 

I cringe at the notion of a password-less ssh private key.

A quick google search came up with an article that contains the sentence "SSH certificates are the latest and greatest enhancement to the public and private key authentication SSH has to offer". (https://ef.gy/hardening-ssh)

Perhaps there is something there that will achieve what you are looking for.

BB



> Subject: [kwlug-disc] How to ... having ssh key connected ... ask for
> password, logout if fail?
> 
> I have set up key files for ssh'ing in. key passphrases are empty. ssh
> me at mine takes me straight to a prompt. This is 'good'.
> 
> (1) How to be asked for a password once connected?
> 
> (i.e. key files limit external access to ssh server [no keyfile, no
> access] - but with an empty passphrase, how to know the user is
> authorized / the key didn't get copied somewhere else / someone else
> isn't using it?) [Ignore proper permissions / file restriction settings
> - assume root is accessing the file.]
> 
> Really, I'd like to be asked to log in post ssh passwordless connect,
> and logged out if that fails.
> 
> The beginnings of an answer appears to be to create a ~.ssh/rc script.
> (Which runs sh, not bash, BTW.) [[ ${SSH_CONNECTION:1:11} == $local_lan
> ]] no workie.
> 
> 'login' doesn't do it, won't even run - once connected, one is in a
> non-root environment. 'kill -9 $PPID' doesn't logout - only kills the
> shell calling rc.
> 
> (2) How to force logout if password verification fails?
> 
> See 'login' doesn't do it. Note (kubuntu 12.04) has no logout command.
> logout IS an internal bash command, but not an internal sh (dash)
> command - which is how rc gets run. 'kill -HUP `ps -ef |grep $USER|grep
> bash|awk {'print $2'}`' would do it, but also kills all local shells at
> the same time - undesirable.
> 
> (3) or ... how to limit remote connections to ssh (not knowing where one
> might be, with their usb stick containing the keyfiles, that day), then
> login with password as usual?
> 
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org







More information about the kwlug-disc mailing list