Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I enable passphrase along with the password for login via ssh ? In that whenever I login from server A to server B via ssh, it should ask me for a password and then passphrase to allow me access.
can you expand on "2 levels of password" here? Is this as in "2 factor authentication" If you use RSA keys with a passphrase then that is 2 factor auth, as there is something you have - a key file, and something you know - a password. Outside of this, you then have the sudo model where once you log in there is still very little you can actually do until you authenticate again, which is going to be a different password to that in the passphrase for the auth key.
You can't with ssh alone.
You could make your own bash script and replace the shell entry in /etc/passwd with that bash script. That script would ask for the password, check it against a record of the password (preferably an encrypted one, preferably one that isn't accessible to anyone but root, so via a suid binary)
Personally the way I would do this is to recompile su to use /etc/passwd2 and /etc/shadow2, make those files, and install the new su as su2. The I'd make the bash script called pass2:
Code:
su `whoami` || su `whoami` || su `whoami` # 3 login attampts
logout
put that in /bin/pass2, then edit each user's /etc/password entry to end in /bin/pass2 instead of /bin/bash
It's not perfect and you should test that before you implement it.
Remember though, you need to be absolutely sure that if the user presses something like "ctrl-c" or "ctrl-d" or "ctrl-z" or anything like that, they won't exit that bash script and get a shell.
The thing is, this is a unique and unorthodox security solution. Why are you doing it? (if you don't mind me asking)
You could probably stack two pam modules together and use pam to do it. One which went to the local user database, and one which went to, say, ldap or something. An example of how you _might_ do it (note: this config is an example, it probably won't work)
I can't emphasize enough how much this config has not been tested. In theory it should work (you'll have to turn on pam authentication in sshd config); in practice, I've never tested it.
As the last link on the "sticky" thread about 'ssh' suggests, you should be using digital certificates ... and disable password authentication as an option. (Perversely, you have to do this, because sshd will, by default, offer to accept progressively weaker authentication choices if the stronger ones don't succeed.)
Always password-protect the certificates. Password-protect the certificates that you issue to your users. This is where the "mandatory password prompting" will come from.
Slightly different tangent to think about: if an outer authentication method (i.e. before reaching normal password authentication) is your game, then you might consider port knocking.
A certificate is like a badge, and to get inside the door you have to have it. Password-protecting that badge makes it even more difficult for someone to use the badge (because the password mechanism works by encrypting the badge itself).
That's why the only place that you see people using passwords to get through doorways is in Harry Potter. In any office building, you have to swipe your badge, and if they don't want to let you in anymore, they deactivate it. Once they do that, whether you continue to possess the badge or not, it's only good as a coaster for your coffee-cup, or as a memento of where you used to work.
Go and set up your SSH security the same way. Internet thieves are "merely opportunists," and this strategy utterly denies them that opportunity.
Last edited by sundialsvcs; 05-19-2011 at 09:22 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.