0

I'm trying to get an user account to be able to be used both with private key only and private key + password. The password only really needs to be long enough for opportunity -based attacks, as I'd like this kind of authentication used on my android-based phone.

However on my home computer I do not see this it necessary to have also the password authentication enabled. Thus I'd want to use something similar to sshpass, which is able to store the password. When I tried to set it up I get the following error message, presumably from the private key authentication:

Authenticated with partial success.

And then I'm asked for the password again anyway.

What I use in my SSHd -config:

Match User x
AuthenticationMethods "publickey,password" "publickey,keyboard-interactive

Sure I know I could setup a password for the private key, but I think that while it is currently unprotected, I might want to protect it with a stronger password or another method in the future for other than opportunity-based malicious use.

rkantos
  • 101
  • 1
  • 3

1 Answers1

0

As described in the ssh_config(5), AuthenticationMethods:

For example, “publickey,password publickey,keyboard-interactive” would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example it would not be possible to attempt password or keyboard-interactive authentication before public key.

You either require password authentication after public key authentication or you don't. You can't have both matching same condition, as publickey,password publickey would always allow authentication with public key alone, being equal to publickey.

That being if you don't have another matching criteria than the username.

The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5).

The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as 192.0.2.0/24 or 2001:db8::/32. Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address.

If you have a static IP at home or static IP block at work, you can use it as another criteria. Best practice is to use more demanding authentication methods on untrusted networks.

Here's an example of using three different combination of authentication methods in four different conditions. (John and Jane are users belonging to group employee.)

# Static IP address, John at home
Match User john Address 198.51.100.78
AuthenticationMethods publickey

# Static IP address, Jane at home
Match User jane Address 192.0.2.90
AuthenticationMethods publickey

# Require also password for all employees on company network 203.0.113.0/24
Match Group employee Address 203.0.113.0/24
AuthenticationMethods publickey,password

# Require public key and Google Authenticator for employees anywhere else
Match Group employee
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no

The Google Authenticator in the last example requires libpam-google-authenticator installed and configured in /etc/pam.d/sshd with line auth required pam_google_authenticator.so.

Another method for a single user without access to sshd_config, assuming publickey authentication without password authentication in use: use the same key without password on home computer and with password at work. Depending on the situation with the original key:

  • Remove passphrase with openssl rsa -in work-encrypted.key -out open-home.key
  • Add passphrase with openssl rsa -des3 -in open-home.key -out work-encrypted.key
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129