Mdthbs

Infinite past with a beginning?

Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).

What would happen to a modern skyscraper if it rains micro blackholes?

XeLaTeX and pdfLaTeX ignore hyphenation

Compute hash value according to multiplication method

How old can references or sources in a thesis be?

Is there a familial term for apples and pears?

How long does it take to type this?

How to report a triplet of septets in NMR tabulation?

Shell script can be run only with sh command

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

Japan - Plan around max visa duration

New order #4: World

Validation accuracy vs Testing accuracy

Why is an old chain unsafe?

How to type dʒ symbol (IPA) on Mac?

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

Draw simple lines in Inkscape

declaring a variable twice in IIFE

Is there really no realistic way for a skeleton monster to move around without magic?

What is the command to reset a PC without deleting any files

How is it possible to have an ability score that is less than 3?

Why CLRS example on residual networks does not follows its formula?

sshd: Allow direct login for certain public keys and require password also for the rest

How do I configure sshd to 1) require public key _and_ 2) require a password for login?Can use Password authentication with SFTP even though “PasswordAuthentication no” in /etc/ssh/sshd_configopensshd / openssh - allow EITHER keypair or passwordHow do I configure sshd to 1) require public key _and_ 2) require a password for login?Need the sshd server be run in root privilege for a password-less login?Why does SSH server say, “authorized_keys is not a regular file”?2 Factor Authentication in SSH using public key and yubikeysshd: Problem disabling password authentication from outside LANHow do I completely disable password ssh logins?Not able to login to as any user to a remote linux server after editing sshd_config file and adding a specific user in AllowUsers in SuseLinuxssh - why can I login with partial passwords?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

2

• I have a server running sshd.


• I have a secure machine with a ssh key.
  I want to allow direct public key login to the server with the secure
  machine's key.


• I also have a laptop with a different ssh key, which
  may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.

Is this configuration possible to achieve modifying sshd_config?

Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.

sshd

share|improve this question

edited 22 hours ago

AndresR

asked 23 hours ago

AndresRAndresR

596

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
  
  – RubberStamp
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
  
  – AndresR
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I haven't tried this yet... but, you might get away with putting command="login" in front of the public key listed in ~/.ssh/authorized_keys ... actually, just tried it... it does work... command="login username" ssh-rsa AAAA...
  
  – RubberStamp
  21 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @RubberStamp I'm trying login username but, after introducing a wrong password I'm able to login as any user, not just the username. Is there any way to prompt for login for only a given user?
  
  – AndresR
  1 hour ago
  

  
  
  
  

add a comment | 

2

• I have a server running sshd.


• I have a secure machine with a ssh key.
  I want to allow direct public key login to the server with the secure
  machine's key.


• I also have a laptop with a different ssh key, which
  may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.

Is this configuration possible to achieve modifying sshd_config?

Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.

sshd

share|improve this question

edited 22 hours ago

AndresR

asked 23 hours ago

AndresRAndresR

596

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
  
  – RubberStamp
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
  
  – AndresR
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I haven't tried this yet... but, you might get away with putting command="login" in front of the public key listed in ~/.ssh/authorized_keys ... actually, just tried it... it does work... command="login username" ssh-rsa AAAA...
  
  – RubberStamp
  21 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @RubberStamp I'm trying login username but, after introducing a wrong password I'm able to login as any user, not just the username. Is there any way to prompt for login for only a given user?
  
  – AndresR
  1 hour ago
  

  
  
  
  

add a comment | 

• I have a server running sshd.


• I have a secure machine with a ssh key.
  I want to allow direct public key login to the server with the secure
  machine's key.


• I also have a laptop with a different ssh key, which
  may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.

Is this configuration possible to achieve modifying sshd_config?

Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.

sshd

share|improve this question

edited 22 hours ago

AndresR

asked 23 hours ago

AndresRAndresR

596

share|improve this question

edited 22 hours ago

AndresR

asked 23 hours ago

AndresRAndresR

596

share|improve this question

edited 22 hours ago

AndresR

asked 23 hours ago

AndresRAndresR

596

asked 23 hours ago

AndresRAndresR

596

asked 23 hours ago

AndresRAndresR

596

1 Answer
1

active

oldest

votes

0

Using MATCH to require multiple authentication methods

Unfortunately, it doesn't appear that sshd_config supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.

Add the following Match section to sshd_config

Match Host laptop.host.ip.addr, User sshuser

    PasswordAuthentication yes 

    AuthenticationMethods publickey,password

Each authentication method needs to be explicitly enabled within the sshd_config configuration. This can be done within the Match section in order to avoid changing global authentication settings.

The AuthenticationMethods option is a list of comma delimited lists. So, AuthenticationMethods publickey,password is different than AuthenticationMethods publickey password. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.

share|improve this answer

answered 5 hours ago

RubberStampRubberStamp

2,0041820

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
  
  – AndresR
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510964%2fsshd-allow-direct-login-for-certain-public-keys-and-require-password-also-for-t%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Using MATCH to require multiple authentication methods

Unfortunately, it doesn't appear that sshd_config supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.

Add the following Match section to sshd_config

Match Host laptop.host.ip.addr, User sshuser

    PasswordAuthentication yes 

    AuthenticationMethods publickey,password

Each authentication method needs to be explicitly enabled within the sshd_config configuration. This can be done within the Match section in order to avoid changing global authentication settings.

The AuthenticationMethods option is a list of comma delimited lists. So, AuthenticationMethods publickey,password is different than AuthenticationMethods publickey password. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.

share|improve this answer

answered 5 hours ago

RubberStampRubberStamp

2,0041820

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
  
  – AndresR
  1 hour ago
  

  
  
  
  

add a comment | 

0

Using MATCH to require multiple authentication methods

Unfortunately, it doesn't appear that sshd_config supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.

Add the following Match section to sshd_config

Match Host laptop.host.ip.addr, User sshuser

    PasswordAuthentication yes 

    AuthenticationMethods publickey,password

Each authentication method needs to be explicitly enabled within the sshd_config configuration. This can be done within the Match section in order to avoid changing global authentication settings.

The AuthenticationMethods option is a list of comma delimited lists. So, AuthenticationMethods publickey,password is different than AuthenticationMethods publickey password. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.

share|improve this answer

answered 5 hours ago

RubberStampRubberStamp

2,0041820

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
  
  – AndresR
  1 hour ago
  

  
  
  
  

add a comment | 

Using MATCH to require multiple authentication methods

Unfortunately, it doesn't appear that sshd_config supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.

Add the following Match section to sshd_config

Match Host laptop.host.ip.addr, User sshuser

    PasswordAuthentication yes 

    AuthenticationMethods publickey,password

Each authentication method needs to be explicitly enabled within the sshd_config configuration. This can be done within the Match section in order to avoid changing global authentication settings.

The AuthenticationMethods option is a list of comma delimited lists. So, AuthenticationMethods publickey,password is different than AuthenticationMethods publickey password. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.

share|improve this answer

answered 5 hours ago

RubberStampRubberStamp

2,0041820

Match Host laptop.host.ip.addr, User sshuser

    PasswordAuthentication yes 

    AuthenticationMethods publickey,password

share|improve this answer

answered 5 hours ago

RubberStampRubberStamp

2,0041820

answered 5 hours ago

RubberStampRubberStamp

2,0041820

answered 5 hours ago

RubberStampRubberStamp

2,0041820