I've read up a bit on public key authentication, but I think I'm missing a key aspect.
I have an Ubuntu server I've configured to work as an Subversion server that accepts SVN connections over SSH using a non-standard port. So, to check out, it would something like:
svn co svn+ssh://user#example.com:12345/repos/public
Now, my server currently supports both password based authentication, and public key authentication. Assuming my server at my office is bolted and anchored down, and the firewall and all are working, I don't have to worry about someone copying files off the server.
For my two client laptops, I've generated public-private key pairs, and have added the public keys for the clients to the AuthorizedKeys list on the server via the ssh-copy-id command. I can now SSH into the server from these client laptops without a password.
This concerns me though. If someone breaks into my hotel room and steals my laptop, then they can just pull the hard drive, copy the contents of ~/.ssh to a separate machine, and attempt to log in to my servers effortlessly. If I just used password-based authentication, and just memorize the passwords or store them in an encrypted TrueCrypt archive, it is much safer.
I know that during the creation of my key pairs on the clients, a passphrase had to be entered. Is it possible to require the server to not only validate the public key, but to also require the passphrase to be entered? This seems like a very weak system if all that is required is stealing the laptop of a single employee and copying a file off of it to get total system access.
Thank you.
You can protect the keystore on the client with an additional passphrase so one needs to unlock the key to use it but this is configured on the client and cannot be enforced by the server. Using an SSH-agent you need to unlock a key only once and use it as long as the client is in use.
This is covered on another SO site.
https://serverfault.com/questions/93807/how-do-i-setup-ssh-with-both-private-key-and-password
Here is the example SSHD server script.
#######################################################
### Calomel.org SERVER /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1
#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh
AllowUsers calomel#10.10.10.3 calomel#192.168.*
AllowGroups calomel
AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
#
#######################################################
### Calomel.org SERVER /etc/ssh/sshd_config
#######################################################
Related
this is what I need to realize:
keybased passwordless authentication for user root
passwordbased authentication for any other user than root
Server I need to have access to is running Debian 9 (stretch).
On my client I have I have created a keypair like this: ssh-keygen
This created the following files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
Now I copied the content of ~/.ssh/id_rsa.pub into /root/.ssh/authorized_keys on the server and modified the keyfile with permission 600.
Then I modified the /etc/ssh/sshd_config on server by setting the following values:
PermitRootLogin without-password
PubkeyAuthentication yes
Now I restarted ssh service on server and tried the connection by ssh root#sub.domain.tld.
It still ends in password prompt for user root.
The outcome of ssh -vvv root#sub.domain.tld you can find here (Ubuntu Pastebin).
What did I miss to modify?
Kind regards
//neph
You should follow this tutorial, there's a lot of outdated ones. It worked for me on Ubuntu 19.04.
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
#include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.
I'm working on an embedded board (i.MX6) with a Yocto-based embedded Linux. So far I used Dropbear as SSH server. However, Dropbear doesn't provide an SFTP server, which I need. Therefore I switched from Dropbear to OpenSSH (built it from the standard Poky sources, and installed it via opkg).
However, since then I cannot login to the board via SSH anymore, because the server asks for a password, which I don't know. The only user is root, and it has no password configured (this is still true, because I can log in locally via RS232 without problems). Why does OpenSSH ask for a password? How can I remove that?
I thought that maybe there's a passphrase set in one of the private keys in /etc/ssh:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
So I did ssh-keygen -p -f /etc/ssh/ssh_host_rsa_key respectively for each of them, but it didn't help.
This is the essential pieces of the sshd_config file:
# grep '^[^#]' /etc/ssh/sshd_config
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation sandbox # Default for new installations.
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
Subsystem sftp /usr/lib/openssh/sftp-server
Any ideas?
Are you sure that you have debug-tweaks in your IMAGE_FEATURES or EXTRA_IMAGE_FEATURES?
If so, the ROOTFS_POSTPROCESS_COMMAND should include ssh_allow_empty_password(); which in turns should set PermitEmptyPasswords yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config_readonly. That should allow you to use empty passwords with OpenSSH.
If you have "debug-tweaks" in your EXTRA_IMAGE_FEATURES then the password will be blank: this may be ok for development images.
If you want to have some security instead, you can either add a recipe that installs a public key to /root/.ssh/authorized_keys or use the extrausers class in an image recipe or local configuration to set the password.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Heyho,
I have a kind of weird problem with an ubuntu server that runs open ssh-server.
Everything configuration wise is working except for one thing. I cannot connect via putty with my .ppk key to the server, right after it booted.
I get a "server refused our key". Since the thing is currently running in Virtual Box I still have access over the direct login. So I login with my user and my password and instantly log out again.
Now I can connect via putty and the .ook key. And I have no Idea why. Either I missed some explanation somewhere or I screwed up something somewhere with the configs. If anybody can point me in the right direction I'd be grateful!
sshd_config:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes no
RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin yes
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
AllowTcpForwarding yes
The key is in the decribed place and everything, and as said, I can connect just fine after logging in directly on the VM after a reboot, but no matter what I try I cannot get it to connect without that one login.
This has been answered many times and is more suitable for AskUbuntu.
In short, you have encrypted home folder (even with your AuthorizedKeysFile) and therefore the server can't authenticate you. One possibility is to move the authorized keys somewhere else (AuthorizedKeysFile /etc/ssh/%u/authorized_keys) and decrypt your home folder upon login or just remove the encryption. Official documentation describes it well.
I have a problem trying to ssh into my server after I made some changes in sshd_config file. I had changed the PubkeyAuthentication and RsaAuthentication to YES and PermitRootLogin to NO.
How can I access the server using ssh and edit sshd_config file ?
Either with a user that is allowed to login and has setup the correct public keys (which you surely did beforehand?). Or via the server console.
If you find another way i think you should raise a bug report with sshd, as denying this is the goal of your configuration (with my basic ssh knowledge, though).
Problem solved I ssh into my server using another account that has ssh acccess and then I used su command to login as a root and I accessed the server
I'm trying to configure my SSH server to require users to have an RSA key. To do this I have the settings in sshd_config set to
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
and
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
and
UsePAM no
Then I do sudo /etc/init.d/ssh restart to restart the server.
This seems to work to some degree, because I included my macs rsa_key and it lets me log in without asking for a password. However when I try to ssh in through a computer that I haven't included the key of, it just prompts me for my password, and then when entered, lets me in.
What am I doing wrong?
I'd say you're not reloading your ssh config correctly. Which Linux distribution/version are you using (assuming you're even using Linux)?
In Ubuntu I usually do:
sudo restart ssh
OR
sudo service ssh restart
Additionally, though not germane to this question - ideally root should not have a password - you should use be using sudo.
I think you also need
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin without-password
otherwise even if sshd does not ask itself for a password, it will trust PAM and login which will authenticate the user with its password.
While testing, make sure to have another way in in case a problem occurs with SSH...
And make sure you restart your server with /etc/init.d/sshd restart.