-   Linux - Security (
-   -   Limit ssh session from a host with a particular Key file (

hemanshurpatel 07-23-2009 02:54 AM

Limit ssh session from a host with a particular Key file
Hello friends,

i am having a bit of problem.
I have got few servers to handle lying in USA, UK and canada.

as of now i use them with SSH(version 2) , they are all having fedora core 8 installed.

i want following things, please read all of them to get exactly what i want.

1) I dont want any one to be able to do ssh.
2) i want ssh via password only, no ssh-keygen.
3) ssh should be done from some specific host only which are allowed.
4) I mean even though some one has password of the server he should not be able to ssh to my server, it needs a specific key sort of thing, if that keyfile is present in client's pc then only he should be able to do ssh using the password.

Am i sound clear? if not please tell me.

All i want is to limit the users to do ssh to my servers though they have root password, only users who have combination of password and keyfile should be able to do ssh.

Hope i have sound clear enough to think.

waiting for your valuable comments and replies,

marozsas 07-23-2009 07:57 AM

well, I don't have all the answers to you, but even so, I hope some could help you.

3) to limit the origin you can use the files /etc/hosts.allow and /etc/hosts.deny. For instance, use a empty hosts.allow and on hosts.deny put something like:

sshd: ALL EXCEPT networks or list of valid IPs
for the others questions I don't know how to do that. I will follow this thread to learn from someone else in hope he/she could have the answer.

I use fail2ban which is a program that can block a IP that has too many failed login attempts. I use fail2ban to protect the sshd against force brute attacks. On the first attempt it can blocks the IP for hours, except if it is your IP, in this case it blocks you after the third attempt for 5 minutes - or whatever - I got the idea.


hemanshurpatel 07-23-2009 08:20 AM


But i dont want my servers to be limited to specific IPs.

say i have got root password and i have got a keyfile then i may connect my laptop to any network (Mns any IP), and i should be able to connect.

In short, rather then depending on just password i want two parameters one is password and other is file, then only anyone can connect to my servers.

still waiting for comments....

marozsas 07-23-2009 03:43 PM

Looking at "man sshd_config" I found the directives "AllowUsers" and "DenyUsers" which could be used (I guess) to limit who can log in through ssh (your request number 1).
Also, the directive "AuthorizedKeysFile" that contains the public keys that can be used for user authentication, which is your request number 4.

Take a look at "sshd_config(5)" and "ssh_config(5)", they are the best source for what you are looking for.

Please, share your findings here and, if successful, mark this thread as "solved".

unSpawn 07-23-2009 04:56 PM


Originally Posted by hemanshurpatel (Post 3617371)
i am having a bit of problem.

Yes, and more than you bargained for.


Originally Posted by hemanshurpatel (Post 3617371)
users to do ssh to my servers though they have root password,

...implies users logging in as root account user. If that's the case then all your other safe-guards, access restrictions, security measures are for naught. Sure you may ignore that but something is called a best practice for a reason.


Originally Posted by hemanshurpatel (Post 3617371)
fedora core 8 installed.

...which is stale, unmaintained, unsupported. Sure you're free to ignore that remark too but adding access restrictions or security measures on top of a deprecated distribution version is an utter waste of time and will only give you a false sense of security.


Originally Posted by hemanshurpatel (Post 3617371)
i want ssh via password only, no ssh-keygen.

Even before we have a chance to address concepts like port knocking you should really try to understand OpenSSH better.

hemanshurpatel 07-24-2009 01:28 AM

Dear unSpawn

if you dont have answer, please dont laugh at.

Intentions with root password is that even if someone has root password he should not be able to login to my server without that key file.
i think i made clear this in my previous posting.
weather i am using fedora core 8 or 11, i think solutions wont change much.

thank for the other replies though, surely i will go through ssh_config and sshd_config man pages.

karamarisan 07-24-2009 01:58 AM

Don't discount what he said about root logins and stale versions. Not only is it silly to work on advanced security like 'I want public-key in case they get my password' when you're asking for problems by not updating your software and risking everything by working as root, but like it or not, you're part of a network, and you are a weak link by not taking care of your own security. Poor practice (and Windows) is why we have botnets.

A keyfile is exactly what public key authentication gives you. You can even password protect it. It's a very bad idea in case you lose the keyfile, but you could then disable password authentication and use public key with the passworded key, making it impossible to log in without both the public key and the password. That's what you want. It really is ill-advised, though.

hemanshurpatel 07-24-2009 02:10 AM

i didnt get you

And about the previoust posting, i dont want to insult anyone, i am working on linux, and i know it is very bad idea to log in using root id, all i want to tell is that even if someone has got root password, he should not be able to login.
i never say that u need root password only to login, or i will allow only root user to login.

karamarisan 07-24-2009 02:24 AM

Like unSpawn said, you should take some time and read up on OpenSSH. In particular, look into public key authentication, as that is as close to what you want as you're going to get. ssh-keygen is the program you'll use to set that up.

hemanshurpatel 07-24-2009 02:29 AM

yeah sure
i will read it.

but r u sure, that after generating keys using ssk-keygen i can set it to both, i mean if someone ahs that file and not password or say someone has password and not that file then he/she should not be able to login?

can i do that?

karamarisan 07-24-2009 02:46 AM

I am sure you can password-protect an OpenSSH private key. I am reasonably sure you can disable regular authentication - you'll have to read up on sshd_config as mentioned earlier to find out for sure and how.

However, this is a BAD idea. If the machine on which you have stored the private key is stolen, or its hard drive dies, or you're using it on a boat and drop it off the side, it will be impossible to log in (barring a brute-forcing of your key, and if that were practical, there'd be no point to a key in the first place). The idea is that by using public key, you just skip the password step; protecting the key itself is the responsibility of you and the machines it's on, and if their security isn't up to snuff, you've got bigger problems.

chrism01 07-24-2009 03:03 AM

You can (using ssh) password protect the key on the client, so losing the client doesn't matter if the thief doesn't know the password to the key.

jschiwal 07-24-2009 03:31 AM

I don't really understand the question you had about not allowing people who know the root password from logging in. If you simply mean that you don't want to allow ssh root logins, that is easy to set in /etc/ssh/sshd_config. If you mean that you don't want people who know the root password from logging in and using su to become root, you can prevent these users' group from logging in to ssh.

If you want to allow these people to log into their regular accounts, but not use su or sudo to become root, that is more complicated. Instead of letting administrators know the root password, you could change the root password, and make them members of the `wheel' group, so they can use sudo instead. With pam_group (see man group.conf & man pam_group), to determine when and from where they are members of the wheel group. Then they can use sudo at work from a local terminal but not remotely after work.

Company policy and auditing may be more useful than more complicated or obstructive methods. Giving users you don't trust the root password, doesn't sound like a good policy. Users who have root access during the day, can modify your configurations, circumventing any controls on ssh access you implement.

jschiwal 07-24-2009 03:36 AM


Originally Posted by chrism01 (Post 3618523)
You can (using ssh) password protect the key on the client, so losing the client doesn't matter if the thief doesn't know the password to the key.

Exactly, it is the private key on the client that is passphrase protected. I like passphrases, because they can be a lot longer. Odd phrases are a lot easier to remember than random passwords.

However, a remote user in the field, lets assume with a laptop, could remove the passphrase (out of laziness) and later loose the laptop. I don't know how this policy could be enforced.

All times are GMT -5. The time now is 08:44 PM.