LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-05-2005, 10:35 AM   #1
XaViaR
Member
 
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170

Rep: Reputation: 31
SSH Forcing users to use RSA keys


Hello,

I was wondering if it is possibe to force a Linux machine to ONLY accpet rsa keys via ssh instead of password auth. Is this possible? If so, could you please lend me a hand??

-X
 
Old 07-05-2005, 12:04 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Yes. You need to modify your /etc/ssh/sshd_config and uncomment the RSA authentication lines and set them to "yes". To turn off password authentication, uncomment the PasswordAuthentication line and set it to "no". Do the same for DSA authentication if you want RSA-only. Save your modifications and restart sshd so that it re-reads the config. Here is a HOWTO on getting the rest of RSA authentication working:

http://kmself.home.netcom.com/Linux/FAQs/sshrsakey.html

Also remember that ssh clients connecting to you must be able to use RSA authentication as well or you'll have connectivity issues. You might also find this HOWTO by our very own David Ross helpfull:

http://www.linuxquestions.org/questi...ticle&artid=79

Last edited by Capt_Caveman; 07-05-2005 at 12:06 PM.
 
Old 07-05-2005, 12:24 PM   #3
XaViaR
Member
 
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170

Original Poster
Rep: Reputation: 31
Capt_Caveman,

I made the following changes, and I am still able to connect via password auth. :-( Also, when you said, "Do the same for DSA authentication if you want RSA-only." That is what I want, but I could not find this in my config. Could you help me again?

Below are the changes that I made:

RSAAuthentication yes
# PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

Below is my sshd_config:
______________________________________________

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes

RSAAuthentication yes
# PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
#GSSAPIEnableMITMAttack no

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
Banner /etc/banners/sshd.banner

# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server

# Allow Users
#
AllowUsers My_Username

# Ciphers aes256 bit
#
Ciphers aes256-cbc
 
Old 07-05-2005, 01:08 PM   #4
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
Did you restart sshd after making the configuration changes?

Depending on your distro, you might be able to

Code:
/sbin/service sshd restart
to make sshd re-read the conf file.

PS: If you have your distro filled in as part of your profile, the distro uncertainty can be avoided.
 
Old 07-05-2005, 01:49 PM   #5
XaViaR
Member
 
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170

Original Poster
Rep: Reputation: 31
nxny,

I am using suse pro 9.1. Upon making the changes as stated earlier, I ran /etc/init.d/sshd restart.

-xaviar
 
Old 07-05-2005, 11:30 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
set usePAM to 'no" as it will override the PasswordAuthentication directive.
 
Old 07-06-2005, 08:23 AM   #7
XaViaR
Member
 
Registered: Dec 2004
Distribution: RHEL, CentOS, SuSE
Posts: 170

Original Poster
Rep: Reputation: 31
Thanks...That worked!!
 
Old 07-06-2005, 03:46 PM   #8
nxny
Member
 
Registered: May 2002
Location: AK - The last frontier.
Distribution: Red Hat 8.0, Slackware 8.1, Knoppix 3.7, Lunar 1.3, Sorcerer
Posts: 771

Rep: Reputation: 30
Ah cool.

UsePAM is usually turned off by default. I recommend you keep it that way, especially if you're running an older version.

There were a couple of security issues around the SSH PAM module a year or two ago.
 
Old 07-07-2005, 01:42 AM   #9
LeoNot
LQ Newbie
 
Registered: Jul 2005
Posts: 2

Rep: Reputation: 0
Conditional RSA only?

Is it possible to allow password login for only certain accounts?

I would like to turn off passworded login for all accounts *except* for the account used by my hosting service so that they can admin my box. (They're willing to use RSA keys, but it can slow down their response time.)

Thanks,

Leo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Konqueror-RSA Keys XaViaR Linux - General 5 12-03-2006 06:28 AM
RSA Keys for SSH XaViaR Linux - General 4 07-02-2005 10:15 AM
Where to install RSA keys? KMorley Linux - Newbie 1 02-24-2005 03:33 PM
SSH Login - Forcing keys! jackster Linux - Security 5 01-25-2005 09:09 AM
Mulitiple RSA Keys Reformed Linux - Software 3 12-13-2003 03:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration