sshd: Allow direct login for certain public keys and require password also for the restHow do I configure...
Infinite past with a beginning?
Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).
What would happen to a modern skyscraper if it rains micro blackholes?
XeLaTeX and pdfLaTeX ignore hyphenation
Compute hash value according to multiplication method
How old can references or sources in a thesis be?
Is there a familial term for apples and pears?
How long does it take to type this?
How to report a triplet of septets in NMR tabulation?
Shell script can be run only with sh command
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
Japan - Plan around max visa duration
New order #4: World
Validation accuracy vs Testing accuracy
Why is an old chain unsafe?
How to type dʒ symbol (IPA) on Mac?
How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?
How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?
Draw simple lines in Inkscape
declaring a variable twice in IIFE
Is there really no realistic way for a skeleton monster to move around without magic?
What is the command to reset a PC without deleting any files
How is it possible to have an ability score that is less than 3?
Why CLRS example on residual networks does not follows its formula?
sshd: Allow direct login for certain public keys and require password also for the rest
How do I configure sshd to 1) require public key _and_ 2) require a password for login?Can use Password authentication with SFTP even though “PasswordAuthentication no” in /etc/ssh/sshd_configopensshd / openssh - allow EITHER keypair or passwordHow do I configure sshd to 1) require public key _and_ 2) require a password for login?Need the sshd server be run in root privilege for a password-less login?Why does SSH server say, “authorized_keys is not a regular file”?2 Factor Authentication in SSH using public key and yubikeysshd: Problem disabling password authentication from outside LANHow do I completely disable password ssh logins?Not able to login to as any user to a remote linux server after editing sshd_config file and adding a specific user in AllowUsers in SuseLinuxssh - why can I login with partial passwords?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
- I have a server running sshd.
- I have a secure machine with a ssh key.
I want to allow direct public key login to the server with the secure
machine's key. - I also have a laptop with a different ssh key, which
may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.
Is this configuration possible to achieve modifying sshd_config
?
Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.
sshd
add a comment |
- I have a server running sshd.
- I have a secure machine with a ssh key.
I want to allow direct public key login to the server with the secure
machine's key. - I also have a laptop with a different ssh key, which
may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.
Is this configuration possible to achieve modifying sshd_config
?
Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.
sshd
Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
– RubberStamp
22 hours ago
@RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
– AndresR
22 hours ago
I haven't tried this yet... but, you might get away with puttingcommand="login"
in front of the public key listed in~/.ssh/authorized_keys
... actually, just tried it... it does work...command="login username" ssh-rsa AAAA...
– RubberStamp
21 hours ago
@RubberStamp I'm tryinglogin username
but, after introducing a wrong password I'm able to login as any user, not just theusername
. Is there any way to prompt for login for only a given user?
– AndresR
1 hour ago
add a comment |
- I have a server running sshd.
- I have a secure machine with a ssh key.
I want to allow direct public key login to the server with the secure
machine's key. - I also have a laptop with a different ssh key, which
may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.
Is this configuration possible to achieve modifying sshd_config
?
Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.
sshd
- I have a server running sshd.
- I have a secure machine with a ssh key.
I want to allow direct public key login to the server with the secure
machine's key. - I also have a laptop with a different ssh key, which
may get compromised if I lose it. I want to require password on top of public key authentication, in case the key has been compromised.
Is this configuration possible to achieve modifying sshd_config
?
Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on the public key.
sshd
sshd
edited 22 hours ago
AndresR
asked 23 hours ago
AndresRAndresR
596
596
Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
– RubberStamp
22 hours ago
@RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
– AndresR
22 hours ago
I haven't tried this yet... but, you might get away with puttingcommand="login"
in front of the public key listed in~/.ssh/authorized_keys
... actually, just tried it... it does work...command="login username" ssh-rsa AAAA...
– RubberStamp
21 hours ago
@RubberStamp I'm tryinglogin username
but, after introducing a wrong password I'm able to login as any user, not just theusername
. Is there any way to prompt for login for only a given user?
– AndresR
1 hour ago
add a comment |
Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
– RubberStamp
22 hours ago
@RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
– AndresR
22 hours ago
I haven't tried this yet... but, you might get away with puttingcommand="login"
in front of the public key listed in~/.ssh/authorized_keys
... actually, just tried it... it does work...command="login username" ssh-rsa AAAA...
– RubberStamp
21 hours ago
@RubberStamp I'm tryinglogin username
but, after introducing a wrong password I'm able to login as any user, not just theusername
. Is there any way to prompt for login for only a given user?
– AndresR
1 hour ago
Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
– RubberStamp
22 hours ago
Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
– RubberStamp
22 hours ago
@RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
– AndresR
22 hours ago
@RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
– AndresR
22 hours ago
I haven't tried this yet... but, you might get away with putting
command="login"
in front of the public key listed in ~/.ssh/authorized_keys
... actually, just tried it... it does work... command="login username" ssh-rsa AAAA...
– RubberStamp
21 hours ago
I haven't tried this yet... but, you might get away with putting
command="login"
in front of the public key listed in ~/.ssh/authorized_keys
... actually, just tried it... it does work... command="login username" ssh-rsa AAAA...
– RubberStamp
21 hours ago
@RubberStamp I'm trying
login username
but, after introducing a wrong password I'm able to login as any user, not just the username
. Is there any way to prompt for login for only a given user?– AndresR
1 hour ago
@RubberStamp I'm trying
login username
but, after introducing a wrong password I'm able to login as any user, not just the username
. Is there any way to prompt for login for only a given user?– AndresR
1 hour ago
add a comment |
1 Answer
1
active
oldest
votes
Using MATCH to require multiple authentication methods
Unfortunately, it doesn't appear that sshd_config
supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.
Add the following Match section to sshd_config
Match Host laptop.host.ip.addr, User sshuser
PasswordAuthentication yes
AuthenticationMethods publickey,password
Each authentication method needs to be explicitly enabled within the sshd_config
configuration. This can be done within the Match section in order to avoid changing global authentication settings.
The AuthenticationMethods
option is a list of comma delimited lists. So, AuthenticationMethods publickey,password
is different than AuthenticationMethods publickey password
. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510964%2fsshd-allow-direct-login-for-certain-public-keys-and-require-password-also-for-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Using MATCH to require multiple authentication methods
Unfortunately, it doesn't appear that sshd_config
supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.
Add the following Match section to sshd_config
Match Host laptop.host.ip.addr, User sshuser
PasswordAuthentication yes
AuthenticationMethods publickey,password
Each authentication method needs to be explicitly enabled within the sshd_config
configuration. This can be done within the Match section in order to avoid changing global authentication settings.
The AuthenticationMethods
option is a list of comma delimited lists. So, AuthenticationMethods publickey,password
is different than AuthenticationMethods publickey password
. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
add a comment |
Using MATCH to require multiple authentication methods
Unfortunately, it doesn't appear that sshd_config
supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.
Add the following Match section to sshd_config
Match Host laptop.host.ip.addr, User sshuser
PasswordAuthentication yes
AuthenticationMethods publickey,password
Each authentication method needs to be explicitly enabled within the sshd_config
configuration. This can be done within the Match section in order to avoid changing global authentication settings.
The AuthenticationMethods
option is a list of comma delimited lists. So, AuthenticationMethods publickey,password
is different than AuthenticationMethods publickey password
. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
add a comment |
Using MATCH to require multiple authentication methods
Unfortunately, it doesn't appear that sshd_config
supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.
Add the following Match section to sshd_config
Match Host laptop.host.ip.addr, User sshuser
PasswordAuthentication yes
AuthenticationMethods publickey,password
Each authentication method needs to be explicitly enabled within the sshd_config
configuration. This can be done within the Match section in order to avoid changing global authentication settings.
The AuthenticationMethods
option is a list of comma delimited lists. So, AuthenticationMethods publickey,password
is different than AuthenticationMethods publickey password
. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.
Using MATCH to require multiple authentication methods
Unfortunately, it doesn't appear that sshd_config
supports using a given public key as Match criteria. However, if your secure machine and your laptop always connect to the server using separate host addresses, a Match section can be used to require multiple authentication methods for a given user.
Add the following Match section to sshd_config
Match Host laptop.host.ip.addr, User sshuser
PasswordAuthentication yes
AuthenticationMethods publickey,password
Each authentication method needs to be explicitly enabled within the sshd_config
configuration. This can be done within the Match section in order to avoid changing global authentication settings.
The AuthenticationMethods
option is a list of comma delimited lists. So, AuthenticationMethods publickey,password
is different than AuthenticationMethods publickey password
. In the former example, both publickey and password authentication are required. In the latter example either publickey or password authentication are required.
answered 5 hours ago
![](https://i.stack.imgur.com/82IXt.png?s=32&g=1)
![](https://i.stack.imgur.com/82IXt.png?s=32&g=1)
RubberStampRubberStamp
2,0041820
2,0041820
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
add a comment |
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
Unfortunately I dont see a way to match the laptop IP. Could host-based authentication be used to identify the laptop?
– AndresR
1 hour ago
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510964%2fsshd-allow-direct-login-for-certain-public-keys-and-require-password-also-for-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Possible duplicate of How do I configure sshd to 1) require public key _and_ 2) require a password for login?
– RubberStamp
22 hours ago
@RubberStamp Please note that this question is not about setting both public key and password for login. Instead I'm looking for a way to choose different combinations depending on which public key is used.
– AndresR
22 hours ago
I haven't tried this yet... but, you might get away with putting
command="login"
in front of the public key listed in~/.ssh/authorized_keys
... actually, just tried it... it does work...command="login username" ssh-rsa AAAA...
– RubberStamp
21 hours ago
@RubberStamp I'm trying
login username
but, after introducing a wrong password I'm able to login as any user, not just theusername
. Is there any way to prompt for login for only a given user?– AndresR
1 hour ago