[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

[B.S.]

On 10/05/2016 11:43 AM, Rashkae wrote:
> The usual way to add a password to ssh login is to add the password to
> the Keyfile.

Yes. The remote one. Looking for a single point of change on the server, 
only.

AFAIK, you're not talking about the server's authorized keys file.

Mind you, I've only just checked in to local authorized keys files, 
~/.ssh/authorized_keys (so at least the nefarious actor could only use 
the correct userids if they broke into the key file). And I found that 
authorized_keys files can contain restrictions, such as no-pta, at the 
beginning of a line.

Combined with most user's shells being set to rssh, most of the attack 
vectors are thus shut down. Leaving just this login issue.

 > However, If you really want to add password login to your ssh
 > session, the only way I can think of to do this is to tunnel a
 > network port forward, then login in again.

That's a thought. Thanks. Not ideal, but it's a thought.

Seems completely retarded (sort of) that one can be prompted for a 
password locally, but not once in a shell.

Feels like setting the user to rssh, then 'su $USER' within the rc file 
is sort of a path. (Exiting the rc file, things continue on as normal to 
a shell. Would have thought 'exit -1' in the rc file would eject the 
user.) As said, login doesn't do it (not root) - it hasn't occurred to 
me how else to change / login to a user other than su.

 > Alternatively, you can run a second ssh server on a different port
 > that is configured to accept password login.

HAH! There's a thought. At that point you're local, and passwords are 
acceptable locally - one could telnet localhost within the rc!

 > It would probably tionabe simpler, more convenl, and more flexible,
 > to Use OpenVPN for the key file authenticated network tunnelling,
 > then login with SSH over the VPN connection.

True. Or telnet, for that matter. Sadly, openvpn is a heavier lift 
(everywhere), than ssh.

Hmmm, or ssh -fNR <something>, and have the server phone you back, 
prompting for password then.