I have a remote service which allows users to SSH login to the machine and they're automatically sent to the (command line) application (without access to a bash prompt, for instance).

In the course of using the application, I would like to request re-authentication.

For instance, when attempting to perform a secure operation. (For example, banks require re-authentication when request a money transfer).

How do I re-authenticate without requiring them to Re-SSH?

Is there any simple manual authentication protocol I can use? Give the user a challenge, they compute the result with their private key, etc.? Are there any reasonable command line tools/libraries to simplify the task?

  • 2,368
  • 1
  • 23
  • 36
  • 137
  • 4

1 Answers1


I guess you use SSH-keys as authentication? Reauthentication and key exchanges happens all the time during the SSH protocol, so having a Active session is secure enough.

Another thing is confirmation, eg, you want that the user really wants to commit a action that might be irreversible. Lets say deleting something.

To solve this problem, I would suggest you simply show a random 6 digit code on screen and ask the user to retype it to signify a "YES". (and treat as "NO" if the 6 digit code was incorrect or no code is written.)

Like this:

Are you really sure you want to delete the database records_2013.db?

If NO, just press ENTER now.
If YES, type the following code - 193619 - here, and press ENTER: _

This then solves your problem perfectly, since the SSH server/client would make sure it has a valid authenticated Connection to the server, which means a malicious user cannot hijack a authenticated SSH session, and the random confirmation code, then ensures the user does not, by mistake, commit to a dangerous operation.

Note that this code is not considered to be a captcha, so it wont hinder automatic submissions. But reauth by ssh-keys wont solve that either. The code is just there so the user stop and Think really carefully if he want to proceed Before proceeding.

The reason banks use some reauthentication scheme, is that sessions can be hijacked since HTTP/HTTPS is a stateless protocol (Connection are closed after the page are sent, making it hard to use the underlying protocol to do session authentication), but also for the second reason, to prevent users from by mistake, sending Money somewhere they did not intend.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • @sebastian_nielsen `reason banks use some reauthentication scheme` I assume they also use it in case someone else sat down at your terminal. They want to make sure that at the very moment of that secure operation that you're still the same person. – ChaimKut Oct 14 '14 at 09:40
  • Yes, but based on the OPs description, he was going to use the ssh keys as reauthentication. That means the OP security model does assume the end user terminal is secure (eg, Another user are not sitting down at that terminal than the one who logged on). Since, if the users terminal would be physically compromised, the attacker would have access to the SSH keys and can do both auth and reauth. Only way a secure reauthentication could be done using a compromised terminal is using some sort of tamper-resistant device like a smart card or token. – sebastian nielsen Oct 14 '14 at 09:50