Stuart Henderson
2021-Aug-23 10:18 UTC
How can I make SSH with an identity file always demand a password?
On 2021/08/21 20:19, matthewhtb at danwin1210.me wrote:> Hello, > > I hope my question is apt for this list. > > I am using OpenSSH_8.2p1 on Ubuntu 20.04. > > I connect to a remote SSH server with the -i /path/to/file identity file > option. My local machine asks me for a password for the identity file. > This is because I created a password when using ssh-keygen. > > However, after I exit from the SSH server, and log back in I am not asked > for a password. Some kind of caching is happening. > > Is there a way to force the password to be asked on every occasion when > using an identity file? > > I have searched but it looks as if everyone wants to avoid using > passwords, not deliberately attempting to use them.Other replies have looked at this from the client side and agent caching, but you can also require on the server that a password *as well as* a public key is offered. That also guards against users who did not use a password/passphrase to protect their key. See sshd_config(5): AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists. For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example it would not be possible to attempt password or keyboard-interactive authentication before public key.
Jochen Bern
2021-Aug-24 08:35 UTC
How can I make SSH with an identity file always demand a password?
On 23.08.21 12:18, Stuart Henderson wrote:> Other replies have looked at this from the client side and agent caching, > but you can also require on the server that a password *as well as* a > public key is offered. That also guards against users who did not use > a password/passphrase to protect their key.Or [ fail to use | use a reimplementation that lacks ] the "-c" and "-t" options of ssh-add. However, I seem to remember that at some point (one or two years ago?), there was an announcement that in future versions of OpenSSH, the server side may get *told* whether the auth was done with or without *human* interaction on the client side (i.e., when talking about user keypair auth, passphrase entered vs. straight out of some agent) and could reject a non-interactive attempt, which would satisfy the OP's need. Any news of that, or am I misremembering? Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210824/ac134b3d/attachment.p7s>