Is it possible and feasible to setup a linux box to first require a valid key file before prompting for the user's local account credentials? Our setup is that we have to open ssh on a machine to the internet but there's only like 2 people who would need to ssh into it. We want to lock this bad boy down as tight as possible. We are already implementing the usual, firewall, denyhosts, etc, but if this is possible, I'd like to throw it in as well. All replies are appreciated!
Asked
Active
Viewed 1,834 times
3
-
duplicate: http://serverfault.com/questions/93807/how-do-i-setup-ssh-with-both-private-key-and-password – Hubert Kario Sep 30 '10 at 17:08
3 Answers
1
If your SSH keys already have a pass phrase (which they should) then you're already doing two-factor, and IMO, adding the local account password to that process isn't going to give you much besides annoyed users.
If your intent is to allow only those two users to login via SSH, you can use the AllowGroups and/or AllowUsers configuration features in your sshd_config.
Alex Howansky
- 510
- 2
- 5
-
3Problem is, you can't enforce key passwords, key password complexity or key password aging. – Hubert Kario Sep 30 '10 at 17:09
-
Yeah, I'd considered passphrases, but just like he said, it's not true two-factor auth, IMO. Basically what I'm planning for is someone manages to get the username/password of one of the users, I want to make sure they still can't login unless they have the key and vice-versa, if they have the key, they still need the login. If it comes down to it, I'll use passphrases, I just wanted to know if it was possible the other way first. – Hypercoyote Sep 30 '10 at 17:19
-
I'd also add that an ssh key isn't really a second factor, given that it's effectively just a *really* long random password. A true 'something you have' factor would be something physical, like a smart card. – growse Jun 23 '11 at 21:39
1
Check the man page for sshd_config to see what options are available. HostBasedAuthentication looks promising.
If you can't find what you need, (and even if you can) you could lock down what can be done on the machine, by requiring the use of sudo for many functions - that can be configured to require a password, log everything that gets done, and IMHO should be set up at least as default on any Linux server you use.
See the man page for sudo and sudoers, of course, but also a nice discussion on my favourite page on securing linux servers
dunxd
- 9,482
- 21
- 80
- 117
-
It seems like HostBasedAuth is to allow login from a trusted machine's user to a non-trusted machine without supplying a password. – Hypercoyote Sep 30 '10 at 18:11
1
From what I found, is that the commercial SSH2 server, now Tectia SSH Server supports RequiredAuthentications config option that does just what you want.
Hubert Kario
- 6,351
- 6
- 33
- 65
-
Thanks, I'm looking for free solutions preferably. Like I said, this isn't a have-to thing, just if it was possible. – Hypercoyote Sep 30 '10 at 18:09