8

How do I setup sshd to require both a private key and a password?

In /etc/ssh/sshd_config, I currently have:

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes

But apparently this allows a user to login using either a private key or password.

Liczyrzepa
  • 455
  • 4
  • 13
ryanprayogo
  • 191
  • 1
  • 1
  • 6

3 Answers3

4

Recent versions of OpenSSH have made this much easier to accomplish!

In /etc/ssh/sshd_config simply add the following:

AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

If you wish to allow a specific IP address (e.g. 192.168.10.10) to be able to log in with the OpenSSH default methods, but require every other IP address to use both a password and key, you can add the following Match block instead:

Match Address "*,!192.168.10.10"
    AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

Though not well documented, the leading asterisk is required on the match line; Match Address "!192.168.10.10" will actually never match. This may change in future versions of OpenSSH.

Liczyrzepa
  • 455
  • 4
  • 13
  • Please don't post the same answer multiple times and also don't try to edit other peoples post with your own answers. Leave a comment with a link to your answer when appropriate. – Sven May 04 '16 at 15:20
  • You have my apologies - I've deleted the identical answer – Liczyrzepa May 04 '16 at 15:25
4

You need to setup an SSH gatekeeper. This allows openssh to permit multifactor authentication.

Here's a great link: https://calomel.org/openssh.html

Essentially, you use the ForceCommand directive to run a script when the user logs in. That script then prompts the user for the password. I'm currently looking for a method to verify a given password against the system password, but I'm coming up (understandably) blank.

If the user account is stored in an LDAP directory, you could attempt to bind to the directory using those credentials, but the problem is going to be that the program running will be running as the user, not as root. I don't know the security implications of writing the compiled code and setting it SUID.

Hopefully someone will give you a better answer.

but since I've typed this much, are you in an ultra-secure site? Because that's really the only reason for this. Normal public keys with passphrases should be more than adequate for 99% of cases out there.

Matt Simmons
  • 20,396
  • 10
  • 68
  • 116
  • You don't need root privileges to bind to a LDAP server. What you need is an account with very limited privileges (just bind and search uid, cn) to find the user's CN. When you have the CN you bind again and provide the password prompt to the user. The downside is that this will not enforce password aging unless you use ppolicy. – Hubert Kario Jul 11 '11 at 12:56
  • Isn't there a way to trick PAM to ask for the user password once you're signed in using SSH and PKI? – chrw Feb 21 '12 at 12:39
-3

Two-factor authentication? Not quite. The certificate is a stronger authentication method than a password.

If you are afraid that the certificate can be compromised, then set up the private keys to be password protected. This ensures that the user is prompted for a password before the certificate can be used. That gives you two-factor authentication. You will know that the connection comes from someone who has both possession of the private key and also the password to unlock it.

And disable password authentication on your ssh server. This stops people from using dictionary/brute-force attacks.

sybreon
  • 7,405
  • 1
  • 21
  • 20
  • 6
    Putting a password on the private key really isn't the same as requiring both key and password from the server. The later is something which is forced server side while the protected key file is something left up to the user. – andol Dec 13 '09 at 03:02
  • What I don't agree with is that this form of two-factor authentication is more secure than certificates. I'm afraid of the pseudo-security feeling that it may give. – sybreon Dec 14 '09 at 00:50