Paul Hartman wrote: > On Thu, Jan 8, 2009 at 12:12 PM, Paul Hartman > <[email protected]> wrote: > >> On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman >> <[email protected]> wrote: >> >>> On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones <[email protected]> wrote: >>> >>>> Paul Hartman wrote on 08/01/09 00:28: >>>> >>>>> Hi, >>>>> >>>>> Normally I'm using SSH with regular password login, and I've read >>>>> about generating a keypair and having a password-less connection that >>>>> way. Is there a way to require both the key AND a password? Basically >>>>> if I put the key in my SSH client at work, I don't want a co-worker to >>>>> be able to login to my home PC, or someone to grab my phone, etc. >>>>> >>>>> Is there a way to put a passphrase on the key (seperate from my user >>>>> account password)? Maybe that would work... Otherwise I've thought >>>>> about having a dummy SSH account and then "su - realuser" to get >>>>> access, but that seems kind of messy. >>>>> >>>>> I've always used password login and IP-restricted it, but now I'm >>>>> traveling more and never know what IP I might be connecting from, so >>>>> using a key seems to be the best plan, or maybesome kind of >>>>> portknocking (but that's difficult from restricted ssh environments >>>>> such as a phone). >>>>> >>>>> >>>> By default ssh-keygen creates a key pair with a passphrase. It's your >>>> choice to enter or omit a passphrase. >>>> >>>> If you've generated a key without a passphrase, you can add a passphrase >>>> using ssh-keygen -p >>>> >>>> Entering a passphrase encrypts the private part of the key, which you keep >>>> only on the server. You only need the public part of the key on the client. >>>> >>>> Cheers, Dave >>>> >>> It works great. Thanks everyone for your responses! >>> >>> Paul >>> >>> >> Well, almost great :) >> >> I can't figure out how to get NXclient to connect. It says the key is >> corrupt or has a passphrase (which it does). Has anyone used NX with a >> key-based SSH with passphrase? >> >> Thanks, >> Paul >> > > I figured it out. It was a two-part solution: > > 1) password logins must be enabled to use system authentication with > NX. Since I don't want password logins, I had to use NX's internal > user and password database instead. This requires maintaining separate > passwords for NX... > > 2) the "nx" user is locked and passwordless; I had to give it a > password in order to unlock it. > > After doing that, NX now works! > > *mental note: if I ever want to revoke someone's access to my machine > or change their password, I must remember to check for SSH keys & NX > user accounts (which are actually SSH keys as well) in addition to > changing the password on their system account. > > Thanks again, > Paul > > You could also use ssh-agent to unlock the key if you don't want to use a null-passphrase key
signature.asc
Description: OpenPGP digital signature
