Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-05-2005, 10:35 AM
|
#1
|
Member
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170
Rep:
|
SSH Forcing users to use RSA keys
Hello,
I was wondering if it is possibe to force a Linux machine to ONLY accpet rsa keys via ssh instead of password auth. Is this possible? If so, could you please lend me a hand??
-X
|
|
|
07-05-2005, 12:04 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Yes. You need to modify your /etc/ssh/sshd_config and uncomment the RSA authentication lines and set them to "yes". To turn off password authentication, uncomment the PasswordAuthentication line and set it to "no". Do the same for DSA authentication if you want RSA-only. Save your modifications and restart sshd so that it re-reads the config. Here is a HOWTO on getting the rest of RSA authentication working:
http://kmself.home.netcom.com/Linux/FAQs/sshrsakey.html
Also remember that ssh clients connecting to you must be able to use RSA authentication as well or you'll have connectivity issues. You might also find this HOWTO by our very own David Ross helpfull:
http://www.linuxquestions.org/questi...ticle&artid=79
Last edited by Capt_Caveman; 07-05-2005 at 12:06 PM.
|
|
|
07-05-2005, 12:24 PM
|
#3
|
Member
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170
Original Poster
Rep:
|
Capt_Caveman,
I made the following changes, and I am still able to connect via password auth. :-( Also, when you said, "Do the same for DSA authentication if you want RSA-only." That is what I want, but I could not find this in my config. Could you help me again?
Below are the changes that I made:
RSAAuthentication yes
# PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
Below is my sshd_config:
______________________________________________
Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
RSAAuthentication yes
# PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
#GSSAPIEnableMITMAttack no
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
Banner /etc/banners/sshd.banner
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Allow Users
#
AllowUsers My_Username
# Ciphers aes256 bit
#
Ciphers aes256-cbc
|
|
|
07-05-2005, 01:08 PM
|
#4
|
Member
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771
Rep:
|
Did you restart sshd after making the configuration changes?
Depending on your distro, you might be able to
Code:
/sbin/service sshd restart
to make sshd re-read the conf file.
PS: If you have your distro filled in as part of your profile, the distro uncertainty can be avoided.
|
|
|
07-05-2005, 01:49 PM
|
#5
|
Member
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170
Original Poster
Rep:
|
nxny,
I am using suse pro 9.1. Upon making the changes as stated earlier, I ran /etc/init.d/sshd restart.
-xaviar
|
|
|
07-05-2005, 11:30 PM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
set usePAM to 'no" as it will override the PasswordAuthentication directive.
|
|
|
07-06-2005, 08:23 AM
|
#7
|
Member
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170
Original Poster
Rep:
|
Thanks...That worked!!
|
|
|
07-06-2005, 03:46 PM
|
#8
|
Member
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771
Rep:
|
Ah cool.
UsePAM is usually turned off by default. I recommend you keep it that way, especially if you're running an older version.
There were a couple of security issues around the SSH PAM module a year or two ago.
|
|
|
07-07-2005, 01:42 AM
|
#9
|
LQ Newbie
Registered: Jul 2005
Posts: 2
Rep:
|
Conditional RSA only?
Is it possible to allow password login for only certain accounts?
I would like to turn off passworded login for all accounts *except* for the account used by my hosting service so that they can admin my box. (They're willing to use RSA keys, but it can slow down their response time.)
Thanks,
Leo
|
|
|
All times are GMT -5. The time now is 07:15 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|