[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

B.S. bs27975.2 at gmail.com
Wed Oct 5 12:08:53 EDT 2016 

On 10/05/2016 11:25 AM, bob+kwlug at softscape.ca wrote:
> It sounds as though you are trying to implement something akin to a
> client certificate. Ie: the ssh server needs to know you are a "good
> guy" before it will even ask you to present a password.
>
> Is that the case?

Yes. That's a good / interesting way to put it, thanks - hadn't thought 
of it that way.

> If so, perhaps ssh keys are not really the mechanism you want to
> use.

OK. (Not hung up on ssh keys - never occurred to me there might be 
another way. Thanks!)

> A quick google search came up with an article that contains the
> sentence "SSH certificates are the latest and greatest enhancement to
> the public and private key authentication SSH has to offer".
> (https://ef.gy/hardening-ssh)
>
> Perhaps there is something there that will achieve what you are
> looking for.

Will have to have a look, thank you.

>> Subject: [kwlug-disc] How to ... having ssh key connected ... ask
>> for password, logout if fail?
>>
>> I have set up key files for ssh'ing in. key passphrases are empty.
>> ssh me at mine takes me straight to a prompt. This is 'good'.
>>
>> (1) How to be asked for a password once connected?
>>
>> (i.e. key files limit external access to ssh server [no keyfile,
>> no access] - but with an empty passphrase, how to know the user is
>> authorized / the key didn't get copied somewhere else / someone
>> else isn't using it?) [Ignore proper permissions / file restriction
>> settings - assume root is accessing the file.]
>>
>> Really, I'd like to be asked to log in post ssh passwordless
>> connect, and logged out if that fails.
>>
>> The beginnings of an answer appears to be to create a ~.ssh/rc
>> script. (Which runs sh, not bash, BTW.) [[ ${SSH_CONNECTION:1:11}
>> == $local_lan ]] no workie.
>>
>> 'login' doesn't do it, won't even run - once connected, one is in
>> a non-root environment. 'kill -9 $PPID' doesn't logout - only kills
>> the shell calling rc.
>>
>> (2) How to force logout if password verification fails?
>>
>> See 'login' doesn't do it. Note (kubuntu 12.04) has no logout
>> command. logout IS an internal bash command, but not an internal sh
>> (dash) command - which is how rc gets run. 'kill -HUP `ps -ef |grep
>> $USER|grep bash|awk {'print $2'}`' would do it, but also kills all
>> local shells at the same time - undesirable.
>>
>> (3) or ... how to limit remote connections to ssh (not knowing
>> where one might be, with their usb stick containing the keyfiles,
>> that day), then login with password as usual?
>>
>>
>> _______________________________________________ kwlug-disc mailing
>> list kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
>
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list