Hello,

How can I enable passphrase along with the password for login via ssh ? In that whenever I login from server A to server B via ssh, it should ask me for a password and then passphrase to allow me access.

OR

Can we have multiple passwords to login via ssh ?

My basic need is to have 2 levels of password.

can you expand on "2 levels of password" here? Is this as in "2 factor authentication" If you use RSA keys with a passphrase then that is 2 factor auth, as there is something you have - a key file, and something you know - a password. Outside of this, you then have the sudo model where once you log in there is still very little you can actually do until you authenticate again, which is going to be a different password to that in the passphrase for the auth key.

You can't with ssh alone.
You could make your own bash script and replace the shell entry in /etc/passwd with that bash script. That script would ask for the password, check it against a record of the password (preferably an encrypted one, preferably one that isn't accessible to anyone but root, so via a suid binary)
Personally the way I would do this is to recompile su to use /etc/passwd2 and /etc/shadow2, make those files, and install the new su as su2. The I'd make the bash script called pass2:
put that in /bin/pass2, then edit each user's /etc/password entry to end in /bin/pass2 instead of /bin/bash
It's not perfect and you should test that before you implement it.

Remember though, you need to be absolutely sure that if the user presses something like "ctrl-c" or "ctrl-d" or "ctrl-z" or anything like that, they won't exit that bash script and get a shell.

The thing is, this is a unique and unorthodox security solution. Why are you doing it? (if you don't mind me asking)

0 members found this post helpful.

You could probably stack two pam modules together and use pam to do it. One which went to the local user database, and one which went to, say, ldap or something. An example of how you _might_ do it (note: this config is an example, it probably won't work)

I can't emphasize enough how much this config has not been tested. In theory it should work (you'll have to turn on pam authentication in sshd config); in practice, I've never tested it.

As the last link on the "sticky" thread about 'ssh' suggests, you should be using digital certificates ... and disable password authentication as an option. (Perversely, you have to do this, because sshd will, by default, offer to accept progressively weaker authentication choices if the stronger ones don't succeed.)

Always password-protect the certificates. Password-protect the certificates that you issue to your users. This is where the "mandatory password prompting" will come from.

Slightly different tangent to think about: if an outer authentication method (i.e. before reaching normal password authentication) is your game, then you might consider port knocking.

A certificate is like a badge, and to get inside the door you have to have it. Password-protecting that badge makes it even more difficult for someone to use the badge (because the password mechanism works by encrypting the badge itself).

That's why the only place that you see people using passwords to get through doorways is in Harry Potter. In any office building, you have to swipe your badge, and if they don't want to let you in anymore, they deactivate it. Once they do that, whether you continue to possess the badge or not, it's only good as a coaster for your coffee-cup, or as a memento of where you used to work.

Go and set up your SSH security the same way. Internet thieves are "merely opportunists," and this strategy utterly denies them that opportunity.