[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

Chamunks chamunks at gmail.com
Wed Oct 5 11:42:05 EDT 2016


If.gy is recommending an rsa key if you want something a lot more secure
try. An elliptic curve instead. Ed25519 seems to have the least government
involvement out of all of them.

ssh-keygen -t ed25519 -C "$(whoami)"@"$HOSTNAME" -q -f ~/.ssh/id_ed25519 -N
""

On Wed, Oct 5, 2016, 11:28 AM bob+kwlug at softscape.ca <bob+kwlug at softscape.ca>
wrote:

> It sounds as though you are trying to implement something akin to a client
> certificate. Ie: the ssh server needs to know you are a "good guy" before
> it will even ask you to present a password.
>
> Is that the case?
>
> If so, perhaps ssh keys are not really the mechanism you want to use.
>
> I cringe at the notion of a password-less ssh private key.
>
> A quick google search came up with an article that contains the sentence
> "SSH certificates are the latest and greatest enhancement to the public and
> private key authentication SSH has to offer". (https://ef.gy/hardening-ssh
> )
>
> Perhaps there is something there that will achieve what you are looking
> for.
>
> BB
>
>
>
> > Subject: [kwlug-disc] How to ... having ssh key connected ... ask for
> > password, logout if fail?
> >
> > I have set up key files for ssh'ing in. key passphrases are empty. ssh
> > me at mine takes me straight to a prompt. This is 'good'.
> >
> > (1) How to be asked for a password once connected?
> >
> > (i.e. key files limit external access to ssh server [no keyfile, no
> > access] - but with an empty passphrase, how to know the user is
> > authorized / the key didn't get copied somewhere else / someone else
> > isn't using it?) [Ignore proper permissions / file restriction settings
> > - assume root is accessing the file.]
> >
> > Really, I'd like to be asked to log in post ssh passwordless connect,
> > and logged out if that fails.
> >
> > The beginnings of an answer appears to be to create a ~.ssh/rc script.
> > (Which runs sh, not bash, BTW.) [[ ${SSH_CONNECTION:1:11} == $local_lan
> > ]] no workie.
> >
> > 'login' doesn't do it, won't even run - once connected, one is in a
> > non-root environment. 'kill -9 $PPID' doesn't logout - only kills the
> > shell calling rc.
> >
> > (2) How to force logout if password verification fails?
> >
> > See 'login' doesn't do it. Note (kubuntu 12.04) has no logout command.
> > logout IS an internal bash command, but not an internal sh (dash)
> > command - which is how rc gets run. 'kill -HUP `ps -ef |grep $USER|grep
> > bash|awk {'print $2'}`' would do it, but also kills all local shells at
> > the same time - undesirable.
> >
> > (3) or ... how to limit remote connections to ssh (not knowing where one
> > might be, with their usb stick containing the keyfiles, that day), then
> > login with password as usual?
> >
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20161005/aaf03af4/attachment.htm>


More information about the kwlug-disc mailing list