Unauthenticated SSH

jonnytabpni · 06-22-2010, 04:33 AM

Hi Everyone,

Is it possible to somehow setup an ssh server that doesn't require a username,password or cert to login?

I wish to provide shell access to a console program, which will prompt for a username and password.

Encryption is essential though, and users must not be able to snoop in on each other

Thanks for any advice

acid_kewpie · 06-22-2010, 04:50 AM

why would you want to do that?? just use a pre shared key properly.

jonnytabpni · 06-22-2010, 06:59 AM

Well I wish to offer console access to customers of mine, and dealing with keys may prove to be a hassle for them?

If it's not possible, if I were to give all customers the same key, would each connection be encrypted individually? (i.e. user A coudn't decrypt the payload of user B's connection)

Thanks

acid_kewpie · 06-22-2010, 09:55 AM

Erm come again.... You're selling a service to customer on the basis that it has deliberately crippled security???

tdnnash25 · 06-22-2010, 11:13 AM

Quote:

Originally Posted by acid_kewpie

Erm come again.... You're selling a service to customer on the basis that it has deliberately crippled security???

ouch, I'm with acid_kewpie on this...security needs to matter.

jonnytabpni · 06-23-2010, 02:49 AM

Quote:

I wish to provide shell access to a console program, which will prompt for a username and password. Encryption is essential though, and users must not be able to snoop in on each other

If either of you read my question, you would actually see that security does matter to me, and this is my question on this thread. All I was simply intending on doing was offloading the authentication from SSH to a third party app. Look at my quote above.

Quote:

Erm come again.... You're selling a service to customer on the basis that it has deliberately crippled security???

No, I'm not. I'm asking here if what I was considering doing would criple security, and if it does I won't. I think you have answered this question in your sharp comment. Additionally, the users would still have to authenticate themselves with another program that launches upon login. This is a forum where people ask questions. And since I am new to this area, I think it is a perfectly reasonable thing to ask.

Anyway, the helpful people over at serverfault have answered this question for me, and I'll post the correct answer here for anybody who arrives here looking for a proper answer:

The way SSH works, is that the "encryption keys" are initally exchanged. However these keys themselves are exchanged in an encrypted fashion using the public/private key pair, so indeed every customer needs to have their own public/private key pair to ensure that they can't snoop in on each other.

acid_kewpie · 06-23-2010, 04:29 AM

well yes they do need their own, unless you want to configure ssh in such a way as you use a single key for all user authentication, which is possible, but horrible.

So you're using preshared keys? Like I initially said? Super.

jonnytabpni · 06-23-2010, 06:03 AM

Quote:

Originally Posted by acid_kewpie

well yes they do need their own, unless you want to configure ssh in such a way as you use a single key for all user authentication, which is possible, but horrible.

So you're using preshared keys? Like I initially said? Super.

Yup, sure am (Or at least going to - the system doesn't exsist yet).

On a side note, are you able to use a "forced command" with a username/password login? (i.e. not using PSK)? Let's say I want to bring up a menu when the user logs in, for example

Thanks

acid_kewpie · 06-23-2010, 10:05 AM

Yeah sure, the authentication mechanism and what you can do with ssh should be totally abstracted from each other.

zirias · 06-23-2010, 12:59 PM

No, forcing a command for a username/password-login is AFAIK not possible by SSH means, but you could use software like jailkit. But this sounds like overkill. Maybe you can write a little windows application implementing a tty on a "simple" ssl connection, e.g. by using putty's terminal code with some openssl..?