Hi, How to configure sshd to required both ssh public key and user password also? yes, stupid, but required on my setup.. -- Eero
Am 09.06.2011 um 23:34 schrieb Eero Volotinen:> Hi, > > How to configure sshd to required both ssh public key and user > password also? yes, stupid, but required on my setup.. > > -- > Eero > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosUsed google lately? http://www.google.com/search?client=safari&rls=en&q=sshd+key+password&ie=UTF-8&oe=UTF-8#sclient =psy&hl=en&client=safari&rls=en&source=hp&q=ssh+key+and +password&aq=f&aqi=&aql=&oq=&pbx=1&bav=on. 2,or.r_gc.r_pw.&fp=b9cfb64a5f16eb0c&biw=1444&bih=948 That's for accelerating my pulse for two seconds.
At Fri, 10 Jun 2011 00:34:06 +0300 CentOS mailing list <centos at centos.org> wrote:> > Hi, > > How to configure sshd to required both ssh public key and user > password also? yes, stupid, but required on my setup..Just require a ssh public key AND require that public keys be created with a passphrase.> > -- > Eero > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >-- Robert Heller -- 978-544-6933 / heller at deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments
On Thursday 09 June 2011 17:34, the following was written:> How to configure sshd to required both ssh public key and user > password also? yes, stupid, but required on my setup..Have you thought about securing your ssh keys with a pasword? I do that here so if someone would happen to get a hold of my keys they still could not use them. I am guessing that is why you are looking for both keys and passwords. -- Regards Robert Linux The adventure of a lifetime. Linux User #296285 Get Counted http://counter.li.org/
> How to configure sshd to required both ssh public key and user > password also? yes, stupid, but required on my setup..If you want 2 factor authentication, you can add yubikeys. They are little usb dongle that provides one-time-password. And the server-side for those is open-source if you don't want to use their authentication servers. And they are relatively cheap. We use these here on our border servers to increase security. Regards,
Another option that you might want to look at is putting up an OpenBSD gateway running authpf (see <http://www.openbsd.org/faq/pf/authpf.html>). The model there is an outside user has to open up an ssh shell to the authpf gateway before they are allowed to access services inside the network. If their gateway shell goes away, so does their access. If you require password / secure token / whatever auth on the gateway, then you do that once and then you can use ssh-key auth to get to your inside machines as much as you'd like. Authpf can be used to allow/restrict access to arbitrary network services; it's not limited to just ssh. The shell the user gets on the authpf gateway is not usable for anything else; it just sits there until the user logs out, so it can't be used to crack the gateway or internal machines. Devin
Possibly Parallel Threads
- access key error
- How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
- How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
- How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
- Stronger security with BSD Firewall and Freeradius