Dave Jones wrote:
Paul Hartman wrote on 08/01/09 00:28:
Hi,
Normally I'm using SSH with regular password login, and I've read
about generating a keypair and having a password-less connection that
way. Is there a way to require both the key AND a password? Basically
if I put the key in my SSH client at work, I don't want a co-worker to
be able to login to my home PC, or someone to grab my phone, etc.
Is there a way to put a passphrase on the key (seperate from my user
account password)? Maybe that would work... Otherwise I've thought
about having a dummy SSH account and then "su - realuser" to get
access, but that seems kind of messy.
I've always used password login and IP-restricted it, but now I'm
traveling more and never know what IP I might be connecting from, so
using a key seems to be the best plan, or maybesome kind of
portknocking (but that's difficult from restricted ssh environments
such as a phone).
By default ssh-keygen creates a key pair with a passphrase. It's your choice to
enter or omit a passphrase.
If you've generated a key without a passphrase, you can add a passphrase using
ssh-keygen -p
Entering a passphrase encrypts the private part of the key, which you keep only
on the server. You only need the public part of the key on the client.
Cheers, Dave
Other way around, the server (i.e. the machine your logging into) has the
public key stored in the authorized_keys file. The client (i.e. the machine
your sitting at) has the private key.
So the private key would be sitting on your machine at work, but is in turn
encrypted and you need the passphrase to decrypt it.
On another note, ssh-agent has been mentioned, but you might want to take a
look at keychain (it's in portage). It's a nice script you can add to your
bashrc or similar, it will take car of checking if there's already a running
ssh-agent or not, and if not, ask for the password to any private keys and
start ssh-agent. I use it on all my machines so on first boot I put in my
password, then passwordless access between machines. If an attacker manages to
get the key file off disk however, it is still encrypted and not much good to
them.
Shawn
