search for: pubkeyauthentication

This is a copy of the bug report I sent debian. Package: ssh Version: 1:3.0.2p1-9 Severity: important I want to be able to login between two hosts without entering passwords. ssh-keygen -t dsa * Copy key to other machine cat id_dsa.pub >> .ssh/authorized_keys chmod 600 .ssh/authorized_keys Trouble is that the originating host appears unable to parse its own keys. This is the

Hi all, I'm trying to scp some files from machine1 to machine2. But, I'm in an environment where PubKeyAuthentication is not allowed in ssh :( So, I'm confused how to automate it as cronjob. However, I read somewhere that we can write a little bash script that will utilize 'expect' to answer for the ssh password prompt? Can we do this? Any examples are great help. Thank you.

Hi.? I have configured sshd in OpenBSD to require publickey authentication. I've tried configuring FreeBSD to do the same, but I can still login via keyboard authentication. Here are the options I have in my sshd_config: PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no After setting those options I kill -HUP the sshd? process. Is there something simple I am missing?

There has been some good discussion around our IBM security team as to what actually constitutes SSH multi factor authentication. There are 2 options being discussed. One, the Google Authenticator (OTP authentication). Two, Public/Private key authentication (pubkeyauthentication = yes) which supports pass phrase private key authentication. Which of these is considered multi-factor authentication and can you give a brief response? There are different opinions here and your opinion is greatly appreciated. Sincerely, Bruce F. Bading Senior Security Consultant IBM Systems...

...E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] I have configured for hostbased authentication client ssh_config ... PreferredAuthentications hostbased,publickey HostbasedAuthentication yes PubkeyAuthentication yes PasswordAuthentication no ... server sshd_config ... AuthenticationMethods hostbased,publickey HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PubkeyAuthentication yes PasswordAuthentication...

...he > system--wide client configuration for hostbased authentication to work > for non-root users. I edited configs to client ssh_config ... - PreferredAuthentications hostbased,publickey + PreferredAuthentications hostbased HostbasedAuthentication yes PubkeyAuthentication yes + PubkeyAuthentication no PasswordAuthentication no ... EnableSSHKeysign yes (note: this had already been 'in there' --- just further down in the config) ... server sshd_config ... - AuthenticationMethods...

...File .ssh/authorized_keys in my sshd_config file, pub/priv key authentication no longer worked. I am using OpenSSH_5.4p1, OpenSSL 0.9.8n 24 Mar 2010 on Archlinux. Sam ****************** Here is my WORKING config ****************** Port 22 ListenAddress 0.0.0.0 Protocol 2 PermitRootLogin no PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes Subsystem sftp /usr/lib/ssh/sftp-server ****************** END ****************** ****************** Here is my NON-WORKING config ******************...

...asswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no PubkeyAuthentication yes Match User foo LocalAddress !10.0.0.1,!fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAu...

Hi. I wonder if it would be possible to implement support for a user-specific sshd_config. The primary reason is that I would like the ability to specify that I'm only allowed to login with a key pair, even though the system-wide sshd configuration still allows passwords for other users. Of course, a user-specific sshd_config file should not be able to break the security policy of the

...ey and DSAAuthentication are obsolete: You can use multiple IdentityFile and HostKey options instead, e.g HostKey /etc/ssh_host_key HostKey /etc/ssh_host_dsa_key HostKey /etc/ssh_host_rsa_key in /etc/sshd_config The option DSAAuthentication has been replaced by PubkeyAuthentication. Fingerprinting works for all types of keys: $ ssh-keygen -l -f $HOME/.ssh/{authorized_keys,known_hosts}{,2} 5) Important changes in the implementation of SSH 1 protocol: The OpenSSH server does not require a privileged source port for RhostsRsaAuthentication, since it adds...

...ey and DSAAuthentication are obsolete: You can use multiple IdentityFile and HostKey options instead, e.g HostKey /etc/ssh_host_key HostKey /etc/ssh_host_dsa_key HostKey /etc/ssh_host_rsa_key in /etc/sshd_config The option DSAAuthentication has been replaced by PubkeyAuthentication. Fingerprinting works for all types of keys: $ ssh-keygen -l -f $HOME/.ssh/{authorized_keys,known_hosts}{,2} 5) Important changes in the implementation of SSH 1 protocol: The OpenSSH server does not require a privileged source port for RhostsRsaAuthentication, since it adds...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of gnarly, semantics-wise. I also thought about providing a new keyword to specify a list of required authentication mechanisms. But then you...

...nticator (OTP authentication). > > On its own, this is not 2FA. It's single factor ("something you > have"). > > A combination of Google Authenticator _and_ password is 2FA. This is > easy to do with PAM. Agreed > > Two, Public/Private key authentication (pubkeyauthentication = yes) which > > supports pass phrase private key authentication. > > This is 2FA in that you need the private key and the passphrase for it. I don't agree - being able to unlock a private key is just part of "possessing" it. OTOH publickey+password authentication could...

...Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: coil93 at mail.ee Tested on reiserfs (Suse linux 9.2) How to repeat: 1) StrictModes and PubkeyAuthentication must be enabled for sshd on remote host 2) Create user test on remote host with homedir /home/test and homedir permissions - owner test, mode 0700 3) Create authkeys pair for user test and cat public key into /home/test/.ssh/authorized_keys 4) Set acl on /home/test like "setfacl -m u:te...

http://bugzilla.mindrot.org/show_bug.cgi?id=1180 Summary: Add finer-grained controls to sshd Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dtucker at

...26 ------- We have implemented a general mechanism to enable directives based on certain criteria, including user and group. It doesn't support authentications yet, but it's planned for the next release. With it, you would enable, say, pubkey authentication only for certain users thusly: PubkeyAuthentication no Match User foo,bar PubkeyAuthentication yes *** This bug has been marked as a duplicate of bug 1180 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

I would like disable password authentication in sshd for particular users, without locking their UNIX password, and without requiring all users to use PubkeyAuthentication. I cannot find a documented way to accomplish this in OpenSSH. Is it currently possible? If not, I think this would be a very useful feature to add. I believe that each user should have some control of which authentication methods are allowed to login to their account, within the limits set by th...

...uth from the Internet isn't prevented. b) ChallengeResponseAuthentication no KbdInteractiveAuthentication no Match Address 10.0.0.0/8 KbdInteractiveAuthentication yes Match User miguel KbdInteractiveAuthentication yes - from the Internet, the desired effect is obtained, when trying ssh -o PubkeyAuthentication=no user at example.com, I get: Permission denied (publickey) - from the local net, when trying ssh -o PubkeyAuthentication=no user at example.com, I get: Permission denied (publickey,keyboard-interactive) That's funny, keyboard-interactive is allowed, but I'm not asked for a password, obv...

I have ssh running on port 22 and (say) port 33333. Port 22 is restricted at layer 3 so not much can get to it. Port 33333 is open to the world. I only want to allow one user to authenticated using port 33333, but all users to authenticate using port 22. Is there any way to do this without running 2 sshd processes? -- Alex Bligh

...and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes PasswordAuthentication no GatewayPorts no AllowTcpForwarding yes HostbasedAuthentication no AllowAgentForwarding no X11Forwarding no Banner none Forc...