LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-30-2013, 05:56 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
ssh2 : public key auth and specific user login


Hello,

I use public key authentication to get access to my servers via ssh2.

Can I still allow 1 user to ssh to the server without public key authentication ? This user account is used from within a script to access a directory on the server.
 
Old 04-30-2013, 06:55 AM   #2
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
Public key authentication is used seperatly for every user. A user can login using ssh without using the public key authentication. But if you're using the ssh in script then without using public key authentication, you will need to enter user's password manually when script will run and ask for a password.

Let's know where you're stuck. And do you want that user be able to login to the server without supplying a password?
 
Old 04-30-2013, 06:57 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
What shivaa wrote works unless /etc/ssh/sshd_config explicitly sets "PasswordAuthentication=No". And if the account was ever set up for pubkey auth then you should be able to bypass that adding "-o PasswordAuthentication=Yes" to the command line.

*However not using pubkey auth is an obvious degradation of the security posture of your machine so you should review if there is no less insecure alternative (or even push instead of pull?). An option could be to run a separate SSH daemon on a separate port with a separate /etc/ssh/sshd_config allowing only this user (AllowUser) and chrooting it to where it needs access (ChrootDirectory), creating an iptables rule allowing access to that port from only one IP address or an as small as possible range and confining what that user can do in /home/user/.ssh/authorized_keys with "no-port-forwarding,no-X11-forwarding,no-agent-forwarding", IP range with from="10.1.1.*" and possibly even a command with command="/usr/bin/noexec /path/to/cmd".
 
Old 04-30-2013, 07:32 AM   #4
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
I think I found the solution in the parameter "Match address" :

PasswordAuthentication no

Match address 192.0.2.0/24
PasswordAuthentication yes
 
1 members found this post helpful.
Old 04-30-2013, 08:28 AM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Although it seems not to work :

Code:
Starting sshd: /etc/ssh/sshd_config: line 89: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options
                                                           [FAILED]
 
Old 04-30-2013, 09:14 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Check your OpenSSH version? The "Match" feature was added in OpenSSH 4.3p2 and CentOS 5 version for example doesn't have it.
 
Old 04-30-2013, 09:18 AM   #7
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
[root@sp1 admin]# cat /etc/redhat-release
CentOS release 5.9 (Final)
[root@sp1 admin]# uname -a
Linux sp1.online.be 2.6.18-348.4.1.el5 #1 SMP Tue Apr 16 15:40:06 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@sp1 admin]# ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 
Old 04-30-2013, 09:34 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
FWIW a while back I built OpenSSH 6.1p1-1 packages, all except askpass and for my at that time CentOS 5.8. Haven't installed them yet but 'yum upgrade openssh*6.1p1-1*.rpm' looks OK.
 
Old 04-30-2013, 09:39 AM   #9
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
So I need to build my own openssh from tar openssh-6.2p1.tar.gz ? That's the only solution ?
 
Old 04-30-2013, 09:54 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Well the other solution is to wait for somebody to back port the Match feature to OpenSSH 4.3p2... (As in wait until the cows come home ;-p)
 
Old 04-30-2013, 11:09 AM   #11
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,210

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
If this user account is used only from a script, do you then have the password hardcoded in that script? Why don't you modify the script to use pubkeys instead?
 
Old 04-30-2013, 11:15 AM   #12
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by haertig View Post
If this user account is used only from a script, do you then have the password hardcoded in that script? Why don't you modify the script to use pubkeys instead?
I use phpseclib on my webserver. It is possible to use this library for auth with pubkey.

But I am afraid to place a private key on the webserver to authenticate to this server. If an attack on the webserver reveals this private key (don't know how but I have to consider the possibility), it can be harmful.
 
Old 04-30-2013, 11:32 AM   #13
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,210

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
Quote:
Originally Posted by jonaskellens View Post
But I am afraid to place a private key on the webserver to authenticate to this server. If an attack on the webserver reveals this private key (don't know how but I have to consider the possibility), it can be harmful.
No more harmful than an attack on the webserver revealing a script with a hardcoded password in it.

In your authorized_keys file on the server you are logging into with the pubkey, you can limit what the incoming login is allowed to do. Put it into a chroot jail if that is warranted.

Last edited by haertig; 04-30-2013 at 11:34 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ssh public key auth not accepted jonaskellens Linux - Newbie 11 11-17-2011 09:38 AM
[SOLVED] ssh public key login doesn't work as root user confconf Fedora 6 04-06-2011 04:08 PM
SSH2 No Password Login with passphase key? j.smith1981 Linux - Security 1 09-30-2010 06:29 AM
SSH : public key auth ? mrbiomathe Linux - Newbie 2 01-12-2010 12:46 PM
ssh2 login with public key ONLY? Timon79 Linux - Software 1 01-12-2003 02:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration