[ale] Possible to configure sshd to require key AND password?

Neal Rhodes neal at mnopltd.com
Wed Jul 20 12:04:52 EDT 2011 

Thanks.  yes, a password on the key doesn't quite seem do it. 

at https://calomel.org/openssh.html there is a description of using 
        ForceCommand /tools/ssh_gatekeeper.sh 

in the sshd_config and constructing your own ssh_gatekeeper.sh to
present whatever fiendish challenges you want, and this must return the
correct value to allow the ssh session to continue. 

That seems fairly simple. 

On Wed, 2011-07-20 at 11:42 -0400, Jim Kinney wrote:
> by default it tries key first then password if not turned off. So
> valid key works and if no key offered password ok.
> 
> There is no way within ssh to require both other than as Charles said,
> password on they key. But that's all at the client end unless using a
> key management system that escrows priv keys (badbadbad!!!).
> 
> On Wed, Jul 20, 2011 at 11:36 AM, Charles Shapiro
> <hooterpincher at gmail.com> wrote:
>         You can associate a password with an ssh key.
>         
>         -- CHS 
>         
>         
>         
>         On Wed, Jul 20, 2011 at 11:33 AM, Neal Rhodes
>         <neal at mnopltd.com> wrote:
>         > On a recent Fedora system, running fail2ban and sshd not
>         allowing root
>         > logins,    I still get a certain number of failed ssh
>         attempts every day.
>         > This is not a particular attractive target to attack.
>         >
>         > Is it possible to configure sshd to require both the
>         public/private key AND
>         > a password to get in?   It looks like the various flavors of
>         Connectbox
>         > support public/private key, and while perhaps not full blown
>         2 factor
>         > authentication, it would eliminate the possibility of a
>         successful guessing
>         > attack, (won't have key) and if I lost my phone or tablet
>         with the key, the
>         > person with the tablet couldn't get in without the password.
>         >
>         > If so, any pointers to a recipe?   sshd_config isn't quite
>         replete with
>         > examples.
>         >
>         > Neal Rhodes
>         > MNOP Ltd
>         
>         > _______________________________________________
>         > Ale mailing list
>         > Ale at ale.org
>         > http://mail.ale.org/mailman/listinfo/ale
>         > See JOBS, ANNOUNCE and SCHOOLS lists at
>         > http://mail.ale.org/mailman/listinfo
>         >
>         >
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo 
> 
> 
> 
> -- 
> -- 
> James P. Kinney III
> 
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as
> they please, and those who survive will be left to contemplate the
> outcome.
> - 2011 Noam Chomsky
> 
> http://heretothereideas.blogspot.com/
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list