openssh unix dev - Aug 2021 - How can I make SSH with an identity file always demand a password?

Hello,

I hope my question is apt for this list.

I am using OpenSSH_8.2p1 on Ubuntu 20.04.

I connect to a remote SSH server with the -i /path/to/file identity file
option. My local machine asks me for a password for the identity file.
This is because I created a password when using ssh-keygen.

However, after I exit from the SSH server, and log back in I am not asked
for a password. Some kind of caching is happening.

Is there a way to force the password to be asked on every occasion when
using an identity file?

I have searched but it looks as if everyone wants to avoid using
passwords, not deliberately attempting to use them.

Thank you.

> On 21 Aug 2021, at 22:19 , matthewhtb at danwin1210.me wrote:
> 
> Hello,
> 
> I hope my question is apt for this list.
> 
> I am using OpenSSH_8.2p1 on Ubuntu 20.04.
> 
> I connect to a remote SSH server with the -i /path/to/file identity file
> option. My local machine asks me for a password for the identity file.
> This is because I created a password when using ssh-keygen.
> 
> However, after I exit from the SSH server, and log back in I am not asked
> for a password. Some kind of caching is happening.
It gets loaded into the ssh-agent for things ssh forwarding
> Is there a way to force the password to be asked on every occasion when
> using an identity file?
unload it from the ssh agent, or remove the ssh agent.
> I have searched but it looks as if everyone wants to avoid using
> passwords, not deliberately attempting to use them.
jumping twenty times an hour between 100 different instances behind jumphosts,
you do tend to
focus on only protecting the ssh-agent/key when you aren?t at your desk or the
laptop/etc. gets stolen, not while you need to
connect to lots of hosts to type in that 20+ character pass phrase.

I recall there are various settings in the GUI/desktop managers to unload the
keys when the screen locker activates

On 2021/08/21 20:19, matthewhtb at danwin1210.me wrote:
> Hello,
> 
> I hope my question is apt for this list.
> 
> I am using OpenSSH_8.2p1 on Ubuntu 20.04.
> 
> I connect to a remote SSH server with the -i /path/to/file identity file
> option. My local machine asks me for a password for the identity file.
> This is because I created a password when using ssh-keygen.
> 
> However, after I exit from the SSH server, and log back in I am not asked
> for a password. Some kind of caching is happening.
> 
> Is there a way to force the password to be asked on every occasion when
> using an identity file?
> 
> I have searched but it looks as if everyone wants to avoid using
> passwords, not deliberately attempting to use them.
Other replies have looked at this from the client side and agent caching,
but you can also require on the server that a password *as well as* a
public key is offered. That also guards against users who did not use
a password/passphrase to protect their key. See sshd_config(5):

  AuthenticationMethods
           Specifies the authentication methods that must be successfully
           completed for a user to be granted access.  This option must be
           followed by one or more lists of comma-separated authentication
           method names, or by the single string any to indicate the default
           behaviour of accepting any single authentication method.  If the
           default is overridden, then successful authentication requires
           completion of every method in at least one of these lists.

           For example, "publickey,password
publickey,keyboard-interactive"
           would require the user to complete public key authentication,
           followed by either password or keyboard interactive authentication.
           Only methods that are next in one or more lists are offered at each
           stage, so for this example it would not be possible to attempt
           password or keyboard-interactive authentication before public key.