[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?
B.S.
bs27975.2 at gmail.com
Wed Oct 5 12:05:40 EDT 2016
On 10/05/2016 10:50 AM, Digimer wrote:
> You can still write scripts to fill in passwords with 'expect'.
But don't want to - that would mean special scripts everywhere else.
Changing ~.ssh/rc only means only one place to maintain.
> On 05/10/16 10:45 AM, Khalid Baheyeldin wrote:
>> Passphrases are a built-in feature of the ssh private key itself.
Yep.
>> In order to change your key's passphrase, type the following command:
>>
>> $ ssh-keygen -p
Passphrases will be kept empty.
>> No need for mucking with shells, login, ...etc.
Obversely, no need to muck with passphrases.
>> Just be aware that if you do add a passphrase, then batch scripts that
>> you wrote and use scp ...etc. will not work since it will prompt for a
>> password.
Which is why / the point of not having passphrases.
>> On Wed, Oct 5, 2016 at 10:10 AM, B.S. <bs27975.2 at gmail.com> wrote:
>>> I have set up key files for ssh'ing in. key passphrases are empty. ssh
>>> me at mine takes me straight to a prompt. This is 'good'.
>>>
>>> (1) How to be asked for a password once connected?
>>>
>>> (i.e. key files limit external access to ssh server [no keyfile, no access]
>>> - but with an empty passphrase, how to know the user is authorized / the key
>>> didn't get copied somewhere else / someone else isn't using it?) [Ignore
>>> proper permissions / file restriction settings - assume root is accessing
>>> the file.]
>>>
>>> Really, I'd like to be asked to log in post ssh passwordless connect, and
>>> logged out if that fails.
>>>
>>> The beginnings of an answer appears to be to create a ~.ssh/rc script.
>>> (Which runs sh, not bash, BTW.) [[ ${SSH_CONNECTION:1:11} == $local_lan ]]
>>> no workie.
>>>
>>> 'login' doesn't do it, won't even run - once connected, one is in a non-root
>>> environment. 'kill -9 $PPID' doesn't logout - only kills the shell calling
>>> rc.
>>>
>>> (2) How to force logout if password verification fails?
>>>
>>> See 'login' doesn't do it. Note (kubuntu 12.04) has no logout command.
>>> logout IS an internal bash command, but not an internal sh (dash) command -
>>> which is how rc gets run. 'kill -HUP `ps -ef |grep $USER|grep bash|awk
>>> {'print $2'}`' would do it, but also kills all local shells at the same time
>>> - undesirable.
>>>
>>> (3) or ... how to limit remote connections to ssh (not knowing where one
>>> might be, with their usb stick containing the keyfiles, that day), then
>>> login with password as usual?
More information about the kwlug-disc
mailing list