[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

Chris Irwin chris at chrisirwin.ca
Thu Oct 6 11:01:03 EDT 2016 

On Wed, Oct 05, 2016 at 10:10:39AM -0400, B.S. wrote:
>I have set up key files for ssh'ing in. key passphrases are empty. ssh 
>me at mine takes me straight to a prompt. This is 'good'.
>
>(1) How to be asked for a password once connected?
>
>(i.e. key files limit external access to ssh server [no keyfile, no 
>access] - but with an empty passphrase, how to know the user is 
>authorized / the key didn't get copied somewhere else / someone else 
>isn't using it?) [Ignore proper permissions / file restriction 
>settings - assume root is accessing the file.]

Short answer: Add the following to your /etc/ssh/sshd_config, then 
restart sshd:

    UsePAM yes
    AuthenticationMethods publickey,password

SSH sessions will now require both a key and a password. In this order, 
the key is required first. Only if the key is valid does it prompt for a 
password.

If you want to exclude yourself, you could use a match rule:

    UsePAM yes
    
    Match User *,!me
    AuthenticationMethods publickey,password

>Really, I'd like to be asked to log in post ssh passwordless connect, 
>and logged out if that fails.

Essentially, you're asking the slightly wrong question. You're asking to 
authenticate a user with a key, then re-authenticate a user with a 
password later. This would lead you towards "run a command after ssh 
login" documentation, which isn't what you want.

What you really want is a user to have a key *and* a password to 
authenticate. This is two-factor authentication (key and password, but 
most of the documentation will talk about adding a OTP instead). 
Googling that would get you more relevant documentation.

Usually you'd do this with PAM directly (and if you're adding a OTP, 
you'll have to), but since sshd handles key authentication itself, 
you've got to enforce your second method in sshd.

>(2) How to force logout if password verification fails?

Using the above, the user won't be logged in if the password fails.

-- 
Chris Irwin

email:   chris at chrisirwin.ca
 xmpp:   chris at chrisirwin.ca
  web: https://chrisirwin.ca

More information about the kwlug-disc mailing list