Re: [gentoo-user] SSH login with both key AND password?
On Wednesday January 7 2009 22:11:56 Dave Jones wrote: Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Try it the other way: private on the client. Public on the server. The private part is what you have: the key. The public part is what you put on the server: the lock. You can give the lock to whatever person you want, but only your key will unlock it. Regards, Norberto
Re: [gentoo-user] SSH login with both key AND password?
On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones dave.jo...@xs4all.nl wrote: Paul Hartman wrote on 08/01/09 00:28: Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase. If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Cheers, Dave It works great. Thanks everyone for your responses! Paul
Re: [gentoo-user] SSH login with both key AND password?
On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones dave.jo...@xs4all.nl wrote: Paul Hartman wrote on 08/01/09 00:28: Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase. If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Cheers, Dave It works great. Thanks everyone for your responses! Paul Well, almost great :) I can't figure out how to get NXclient to connect. It says the key is corrupt or has a passphrase (which it does). Has anyone used NX with a key-based SSH with passphrase? Thanks, Paul
Re: [gentoo-user] SSH login with both key AND password?
On Thu, Jan 8, 2009 at 12:12 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones dave.jo...@xs4all.nl wrote: Paul Hartman wrote on 08/01/09 00:28: Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase. If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Cheers, Dave It works great. Thanks everyone for your responses! Paul Well, almost great :) I can't figure out how to get NXclient to connect. It says the key is corrupt or has a passphrase (which it does). Has anyone used NX with a key-based SSH with passphrase? Thanks, Paul I figured it out. It was a two-part solution: 1) password logins must be enabled to use system authentication with NX. Since I don't want password logins, I had to use NX's internal user and password database instead. This requires maintaining separate passwords for NX... 2) the nx user is locked and passwordless; I had to give it a password in order to unlock it. After doing that, NX now works! *mental note: if I ever want to revoke someone's access to my machine or change their password, I must remember to check for SSH keys NX user accounts (which are actually SSH keys as well) in addition to changing the password on their system account. Thanks again, Paul
Re: [gentoo-user] SSH login with both key AND password?
Paul Hartman wrote: On Thu, Jan 8, 2009 at 12:12 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman paul.hartman+gen...@gmail.com wrote: On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones dave.jo...@xs4all.nl wrote: Paul Hartman wrote on 08/01/09 00:28: Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase. If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Cheers, Dave It works great. Thanks everyone for your responses! Paul Well, almost great :) I can't figure out how to get NXclient to connect. It says the key is corrupt or has a passphrase (which it does). Has anyone used NX with a key-based SSH with passphrase? Thanks, Paul I figured it out. It was a two-part solution: 1) password logins must be enabled to use system authentication with NX. Since I don't want password logins, I had to use NX's internal user and password database instead. This requires maintaining separate passwords for NX... 2) the nx user is locked and passwordless; I had to give it a password in order to unlock it. After doing that, NX now works! *mental note: if I ever want to revoke someone's access to my machine or change their password, I must remember to check for SSH keys NX user accounts (which are actually SSH keys as well) in addition to changing the password on their system account. Thanks again, Paul You could also use ssh-agent to unlock the key if you don't want to use a null-passphrase key signature.asc Description: OpenPGP digital signature
[gentoo-user] SSH login with both key AND password?
Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). Thanks, Paul
Re: [gentoo-user] SSH login with both key AND password?
Paul Hartman wrote on 08/01/09 00:28: Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase. If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Cheers, Dave
Re: [gentoo-user] SSH login with both key AND password?
Dave Jones wrote: Paul Hartman wrote on 08/01/09 00:28: Hi, Normally I'm using SSH with regular password login, and I've read about generating a keypair and having a password-less connection that way. Is there a way to require both the key AND a password? Basically if I put the key in my SSH client at work, I don't want a co-worker to be able to login to my home PC, or someone to grab my phone, etc. Is there a way to put a passphrase on the key (seperate from my user account password)? Maybe that would work... Otherwise I've thought about having a dummy SSH account and then su - realuser to get access, but that seems kind of messy. I've always used password login and IP-restricted it, but now I'm traveling more and never know what IP I might be connecting from, so using a key seems to be the best plan, or maybesome kind of portknocking (but that's difficult from restricted ssh environments such as a phone). By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase. If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client. Cheers, Dave Other way around, the server (i.e. the machine your logging into) has the public key stored in the authorized_keys file. The client (i.e. the machine your sitting at) has the private key. So the private key would be sitting on your machine at work, but is in turn encrypted and you need the passphrase to decrypt it. On another note, ssh-agent has been mentioned, but you might want to take a look at keychain (it's in portage). It's a nice script you can add to your bashrc or similar, it will take car of checking if there's already a running ssh-agent or not, and if not, ask for the password to any private keys and start ssh-agent. I use it on all my machines so on first boot I put in my password, then passwordless access between machines. If an attacker manages to get the key file off disk however, it is still encrypted and not much good to them. Shawn
