HPE Community
Operating System - HP-UX
1752802 Members
5205 Online
108789 Solutions
New Discussion юеВ

SSH with publickey and password both

 
SOLVED
Go to solution
SANTOSH S. MHASKAR
Trusted Contributor

тАО06-06-2009 02:43 AM

тАО06-06-2009 02:43 AM

SSH with publickey and password both

Hi,

I have HP-UX 11.11 system with OpenSSH_4.2p1-hpn installed (T1471AA - HP Secure Shell).

To tighten security, I want the server system to allow client to give access only when
if client enters password (what he knows) and his public is matched with
the key stored in authorized_keys file.

Is is possible ? If yes how ?

Thanks in advance.


-Santosh Mhaskar
0 Kudos
Reply
12 REPLIES 12
Jeeshan
Honored Contributor

тАО06-06-2009 04:53 AM

тАО06-06-2009 04:53 AM

Re: SSH with publickey and password both

Yes, its possible.

check this attached file.
a warrior never quits
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО06-06-2009 05:53 AM

тАО06-06-2009 05:53 AM

Re: SSH with publickey and password both

You can create public-key files which use
a passphrase.

I know of no easy way to use the normal UNIX
password with SSH public-key authentication.


> To tighten security, [...]

Attempts like this can backfire.
0 Kudos
Reply
SANTOSH S. MHASKAR
Trusted Contributor

тАО06-07-2009 10:21 PM

тАО06-07-2009 10:21 PM

Re: SSH with publickey and password both

Dear Steve and ahsan I am not indicating the Private Key passphrase but
indicating unix password.

If I connect to Server using ssh -v option it gives following o/p

----------------------------
debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
----------------------------

Here it is skiping 1st method of authn. i.e. publickey.

I want both type of authn. to happen. How can I achive this?

Also once ssh session is established, is there any method to get publickey of client?

Pl. help.

-Santosh Mhaskar
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО06-07-2009 11:26 PM

тАО06-07-2009 11:26 PM

Re: SSH with publickey and password both

Shalom,

How about public key ONLY access.

http://www.hpux.ws/?p=19

It is very secure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО06-08-2009 08:38 AM

тАО06-08-2009 08:38 AM

Re: SSH with publickey and password both

> debug1: Next authentication method: publickey
> debug1: Trying private key: /root/.ssh/identity
> debug1: Trying private key: /root/.ssh/id_rsa
> debug1: Trying private key: /root/.ssh/id_dsa
> debug1: Next authentication method: keyboard-interactive
> Password:
> ----------------------------
>
> Here it is skiping 1st method of authn. i.e. publickey.

It's not skipping it, it's trying it (with
three key file names), but it fails. Bad key
data, I'd guess.

> I want both type of authn. to happen. How
> can I achive this?

As I said, I know of no way to do it.

> Also once ssh session is established, is
> there any method to get publickey of
> client?

Huh?
0 Kudos
Reply
SANTOSH S. MHASKAR
Trusted Contributor

тАО06-08-2009 11:27 PM

тАО06-08-2009 11:27 PM

Re: SSH with publickey and password both

Hi Steve , SEP ,

I am interested to know whether ssh connectivity can be established
by using both password and publickey because I want to restrict the user
to login from particular machine (client).

By using only publickey authn. I can do this but the security risk involved is,
any person who has access from that machine (client) would be able
to login to server.

If password authn. is also possible then only a person knowing password
also can access to server. Hence pl. tell me that using ssh whether password
and publickey authn. both are possible or not.

0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО06-09-2009 05:48 AM

тАО06-09-2009 05:48 AM

Re: SSH with publickey and password both

> If password authn. is also possible then
> only a person knowing password
> also can access to server.

As I said before:

> You can create public-key files which use
>a passphrase.

And if you use public-key data which include
a passphrase, then only a person who knows
the passphrase can use those public-key data
to access the server. Why do you insist on
using the UNIX password instead of
public-key data with a passphrase?
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО06-09-2009 05:55 AM

тАО06-09-2009 05:55 AM

Re: SSH with publickey and password both

> [...] I want to restrict the user
> to login from particular machine (client).

I don't see how any usual public-key scheme
with or without a passphrase will limit
access to "login from particular machine
(client)." From a particular _user_, yes,
but not from a particular client system.

> [...] any person who has access from that
> machine (client) would be able
> to login to server.

What is "that machine (client)"? Is it
completely insecure?

Public-key-with-passphrase still sounds (to
me) like what you really want, but it's not
entirely clear what you really want.
0 Kudos
Reply
SANTOSH S. MHASKAR
Trusted Contributor

тАО06-09-2009 10:45 PM

тАО06-09-2009 10:45 PM

Re: SSH with publickey and password both

Dear Steve,

We have a system on which endusers connect to Unix Server using dumb-terminals/Thin-Clients through LTS (Lan Terminal Server).

This LTS is configured in fixedtty mode so that each terminal connected to specific port of LTS gets same pty/tty device file all the time.

We have app. that is having user previleges/roles associated to this pty/tty id.

eg.

user having pty/tty as /dev/ttys3 has admin role.
user having pty/tty as /dev/ttyp6 has manager role
etc.

This app. has security so that a person sitting only at terminal having pty ID as /dev/ttys3 and knows unix password can do work of manager.

We have such 9 systems and we not want to consolidate it into 1 system. There would be total 1500 users after consolidation. The problem of fixedtty system is it supports only 250 users per system.

Hence I am going to use ssh with publickey authn. only with passphrase. When I tested it with setting

PasswordAuthentication no

in sshd_config file and restarting sshd deamon, system is asking for passphrase and allows if correct passphrase is given. But if one gives wrong passphrase 3 times it goes for password authn.

-----------------------------
Connected to user1@server2 from user1@server1 giving incorrect passphrase

server1:/home/user1/.ssh>ssh -Y user1@server2
Enter passphrase for key '/home/user1/.ssh/id_rsa':
Enter passphrase for key '/home/user1/.ssh/id_rsa':
Enter passphrase for key '/home/user1/.ssh/id_rsa':
Password:
server1:/home/user1/.ssh>
--------------------------------

It seems

PasswordAuthentication no

setting not working. Either publickey or password authn. is working in this case. Hence for more security I want both publickey or password authn. using ssh is it possible? Why

PasswordAuthentication no

setting is not working?

Pl. help.

-Santosh
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.