-2

I'd like to use key based auth so I can SSH to linux systems without needing to specify a password and just worry about keeping the key file safe, but there's a chance that someone else (who that someone is won't necessarily be known in advance) would need to get into those systems in my absence (i.e. if I'm on vacation and unreachable). I'd like to use the same key file for all systems (unless that's a really horrible idea for some reason, I don't know), so I don't want to have to provide this key to anyone else.

I tried googling for an answer but couldn't find one. Can key based auth be used at the same time as keyboard interactive auth?

vrtigo1
  • 861
  • 3
  • 10
  • 17
  • Are you logging in as `root` or yourself? Would a future person need to log in as `root` or themselves? – Andrew Nov 28 '14 at 04:01
  • 1
    A note on your particular usage case: the simplest way of keeping a keyfile safe is encrypting the key, so that a passphrase is required in order to use it. For your scenario, you won't be able to do this - if they could reach you to get a passphrase, they'd just get your password off you. There are noticeably better ways to arrange absence-access than this (+1 for DTK's excellent suggestion of `sudo`). Since this question is collecting close votes, you might want to instead ask the question you actually have: how to arrange for secure access via ssh in both normal and absence situations. – MadHatter Nov 29 '14 at 09:22

3 Answers3

3

Yes, absolutely. It's the default config on most systems: If a key is presented at login, use it. Ask for a password otherwise.

If it's a good idea to allow password-based login at all is another topic.

Sven
  • 97,248
  • 13
  • 177
  • 225
3

Even better would be to gen a separate support account, provide it to the person-to-be-later-named, and provide that account (or even better the group that account is in) the ability to impersonate you with SUDO, so what they do will be logged and can be controlled without giving them your account.

That said, the default setup of OpenSSH (the most common SSH server software) to try to authenticate with a key if one is presented, and if not, to fall-back to password-based authentication.

DTK
  • 1,688
  • 10
  • 15
0

See the AuthenticationMethods setting in man sshd. If you're managing ssh servers, you need to be familiar with that contents of that man page.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47