Key based SSH login that requires both key AND password Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Is SSH with pub key authentication AND a password at every login possible?ssh-agent – What does this process do?Does ssh key need to be named id_rsa?Passwordless ssh cannot accept the keySSH, Key-based authentication and passwordsSSH key-based auth asks for password on first loginKeypaired SSH connection requires a password on initial connectionssh login using ssh keys only works once after on site loginUbuntu 16.04.2 - Connection reset by peer when ssh right after rebootSSH vs/and PasswordUsing parallel-ssh with public keyKey rejection when do ssh
Need a suitable toxic chemical for a murder plot in my novel
The following signatures were invalid: EXPKEYSIG 1397BC53640DB551
Strange behaviour of Check
Estimate capacitor parameters
Writing Thesis: Copying from published papers
Geometric mean and geometric standard deviation
How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time
Why don't the Weasley twins use magic outside of school if the Trace can only find the location of spells cast?
Statistical model of ligand substitution
Single author papers against my advisor's will?
Unexpected result with right shift after bitwise negation
How to say 'striped' in Latin
Is 1 ppb equal to 1 μg/kg?
How to say that you spent the night with someone, you were only sleeping and nothing else?
What are the performance impacts of 'functional' Rust?
Stop battery usage [Ubuntu 18]
Who can trigger ship-wide alerts in Star Trek?
Is above average number of years spent on PhD considered a red flag in future academia or industry positions?
How to rotate it perfectly?
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Determine whether f is a function, an injection, a surjection
Fishing simulator
What to do with post with dry rot?
Autumning in love
Key based SSH login that requires both key AND password
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Is SSH with pub key authentication AND a password at every login possible?ssh-agent – What does this process do?Does ssh key need to be named id_rsa?Passwordless ssh cannot accept the keySSH, Key-based authentication and passwordsSSH key-based auth asks for password on first loginKeypaired SSH connection requires a password on initial connectionssh login using ssh keys only works once after on site loginUbuntu 16.04.2 - Connection reset by peer when ssh right after rebootSSH vs/and PasswordUsing parallel-ssh with public keyKey rejection when do ssh
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
First of all Thanks to make and maintain ASK UBUNTU, I really get lots of help from here.
My problem is :
I developed successfully RSA Key based ssh login on board from system.
when client login first time, ask about private key and passphrase also which works fine.
In second time login, ssh doesn't ask private key or password, directly login on board.
Client side use Ubuntu 16.04 and on board customizes Ubuntu.
First time login with below command:
ssh -i ~/.ssh/id_rsa user@board_ip //works fine
Second time:
ssh user@board_ip //never ask password and public key - problem
First time:
ssh user@board_ip //not able to login without key - works fine
As per my understanding, I made a mistake in the sshd_config file on the board.
I played with below settings but failed it all the time.
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#PasswordAuthentication yes
PermitEmptyPasswords no
Project requirement is secure login, mainly on ssh.
To achive more security SSH passwored base login, we shifted to key base login.
As explain above after change all configuration.
SSH login require private key and password also.
After logout and after sometime login again, ssh doesn't require key or password, project requirement need key and password each and everytime.
Sorry for formating and spelling mistake.
Thanks again.
ssh openssh sshd
edited Mar 28 '18 at 21:00
user68186
17k84970
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
add a comment |
First of all Thanks to make and maintain ASK UBUNTU, I really get lots of help from here.
My problem is :
I developed successfully RSA Key based ssh login on board from system.
when client login first time, ask about private key and passphrase also which works fine.
In second time login, ssh doesn't ask private key or password, directly login on board.
Client side use Ubuntu 16.04 and on board customizes Ubuntu.
First time login with below command:
ssh -i ~/.ssh/id_rsa user@board_ip //works fine
Second time:
ssh user@board_ip //never ask password and public key - problem
First time:
ssh user@board_ip //not able to login without key - works fine
As per my understanding, I made a mistake in the sshd_config file on the board.
I played with below settings but failed it all the time.
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#PasswordAuthentication yes
PermitEmptyPasswords no
Project requirement is secure login, mainly on ssh.
To achive more security SSH passwored base login, we shifted to key base login.
As explain above after change all configuration.
SSH login require private key and password also.
After logout and after sometime login again, ssh doesn't require key or password, project requirement need key and password each and everytime.
Sorry for formating and spelling mistake.
Thanks again.
ssh openssh sshd
edited Mar 28 '18 at 21:00
user68186
17k84970
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
2
It sounds more like the credentials are being cached by your ssh agent than a mistake in the configuration
– steeldriver
Mar 28 '18 at 15:08
@steeldriver post that as an answer
– Panther
Mar 28 '18 at 15:15
@user68186 : As per requirement of project for more security, need key and password in every ssh attempt. first time for any reason user login and logout then some one use this system and try to login at that time for security password and key must require.
– Tejas Virpariya
Mar 28 '18 at 18:36
The "problem" you are having is that ssh-agent is storing the key and password. see askubuntu.com/questions/737251/… and similar. ssh and ssh-server are functioning normal this is not a configuration problem.
– Panther
Mar 29 '18 at 1:23
add a comment |
First of all Thanks to make and maintain ASK UBUNTU, I really get lots of help from here.
My problem is :
I developed successfully RSA Key based ssh login on board from system.
when client login first time, ask about private key and passphrase also which works fine.
In second time login, ssh doesn't ask private key or password, directly login on board.
Client side use Ubuntu 16.04 and on board customizes Ubuntu.
First time login with below command:
ssh -i ~/.ssh/id_rsa user@board_ip //works fine
Second time:
ssh user@board_ip //never ask password and public key - problem
First time:
ssh user@board_ip //not able to login without key - works fine
As per my understanding, I made a mistake in the sshd_config file on the board.
I played with below settings but failed it all the time.
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#PasswordAuthentication yes
PermitEmptyPasswords no
Project requirement is secure login, mainly on ssh.
To achive more security SSH passwored base login, we shifted to key base login.
As explain above after change all configuration.
SSH login require private key and password also.
After logout and after sometime login again, ssh doesn't require key or password, project requirement need key and password each and everytime.
Sorry for formating and spelling mistake.
Thanks again.
ssh openssh sshd
edited Mar 28 '18 at 21:00
user68186
17k84970
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
First of all Thanks to make and maintain ASK UBUNTU, I really get lots of help from here.
My problem is :
I developed successfully RSA Key based ssh login on board from system.
when client login first time, ask about private key and passphrase also which works fine.
In second time login, ssh doesn't ask private key or password, directly login on board.
Client side use Ubuntu 16.04 and on board customizes Ubuntu.
First time login with below command:
ssh -i ~/.ssh/id_rsa user@board_ip //works fine
Second time:
ssh user@board_ip //never ask password and public key - problem
First time:
ssh user@board_ip //not able to login without key - works fine
As per my understanding, I made a mistake in the sshd_config file on the board.
I played with below settings but failed it all the time.
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#PasswordAuthentication yes
PermitEmptyPasswords no
Project requirement is secure login, mainly on ssh.
To achive more security SSH passwored base login, we shifted to key base login.
As explain above after change all configuration.
SSH login require private key and password also.
After logout and after sometime login again, ssh doesn't require key or password, project requirement need key and password each and everytime.
Sorry for formating and spelling mistake.
Thanks again.
ssh openssh sshd
ssh openssh sshd
edited Mar 28 '18 at 21:00
user68186
17k84970
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
edited Mar 28 '18 at 21:00
user68186
17k84970
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
edited Mar 28 '18 at 21:00
user68186
17k84970
edited Mar 28 '18 at 21:00
user68186
17k84970
edited Mar 28 '18 at 21:00
user68186
17k84970
17k84970
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
asked Mar 28 '18 at 15:00
Tejas VirpariyaTejas Virpariya
2816
2816
2
It sounds more like the credentials are being cached by your ssh agent than a mistake in the configuration
– steeldriver
Mar 28 '18 at 15:08
@steeldriver post that as an answer
– Panther
Mar 28 '18 at 15:15
@user68186 : As per requirement of project for more security, need key and password in every ssh attempt. first time for any reason user login and logout then some one use this system and try to login at that time for security password and key must require.
– Tejas Virpariya
Mar 28 '18 at 18:36
The "problem" you are having is that ssh-agent is storing the key and password. see askubuntu.com/questions/737251/… and similar. ssh and ssh-server are functioning normal this is not a configuration problem.
– Panther
Mar 29 '18 at 1:23
add a comment |
2
It sounds more like the credentials are being cached by your ssh agent than a mistake in the configuration
– steeldriver
Mar 28 '18 at 15:08
@steeldriver post that as an answer
– Panther
Mar 28 '18 at 15:15
@user68186 : As per requirement of project for more security, need key and password in every ssh attempt. first time for any reason user login and logout then some one use this system and try to login at that time for security password and key must require.
– Tejas Virpariya
Mar 28 '18 at 18:36
The "problem" you are having is that ssh-agent is storing the key and password. see askubuntu.com/questions/737251/… and similar. ssh and ssh-server are functioning normal this is not a configuration problem.
– Panther
Mar 29 '18 at 1:23
2
2
It sounds more like the credentials are being cached by your ssh agent than a mistake in the configuration
– steeldriver
Mar 28 '18 at 15:08
It sounds more like the credentials are being cached by your ssh agent than a mistake in the configuration
– steeldriver
Mar 28 '18 at 15:08
@steeldriver post that as an answer
– Panther
Mar 28 '18 at 15:15
@steeldriver post that as an answer
– Panther
Mar 28 '18 at 15:15
@user68186 : As per requirement of project for more security, need key and password in every ssh attempt. first time for any reason user login and logout then some one use this system and try to login at that time for security password and key must require.
– Tejas Virpariya
Mar 28 '18 at 18:36
@user68186 : As per requirement of project for more security, need key and password in every ssh attempt. first time for any reason user login and logout then some one use this system and try to login at that time for security password and key must require.
– Tejas Virpariya
Mar 28 '18 at 18:36
The "problem" you are having is that ssh-agent is storing the key and password. see askubuntu.com/questions/737251/… and similar. ssh and ssh-server are functioning normal this is not a configuration problem.
– Panther
Mar 29 '18 at 1:23
The "problem" you are having is that ssh-agent is storing the key and password. see askubuntu.com/questions/737251/… and similar. ssh and ssh-server are functioning normal this is not a configuration problem.
– Panther
Mar 29 '18 at 1:23
add a comment |
2 Answers
2
active
oldest
votes
There are two ways to configure ssh to require both a public key and a password or passphrase.
The difference between the password and the passphrase:
The password in this context is the password assigned to the user in the server computer (the board). If the board has only one user account, then it will have only one password. If the board has multiple user accounts, the should have their unique passwords.
The passphrase is linked to the private key in the client (local) computer, not to the remote server (board) computer. Thus, if you use two different client computers of devices to ssh from, then you will have to create a passphrases for the private keys stored in each local computer. Similarly, if two different users need to ssh to the server (board) from their own respective local computers, they will need their own private-public key pairs and own passphrase to unlock their respective private keys.
For example, say you and I need to ssh to the save server computer (the board) from our own laptops. You will have your own private key and a passphrase for that private key. I will have my own private key and its passphrase. The upshot of this arrangement is, I can change the passphrase of my private key any time without telling you, or changing anything to the server computer (the board). I can even remove the passphrase from my private key without telling you.
The other scenario is, if I have multiple servers to ssh to and if I use the same private key to authenticate myself to all the servers, I will need to use the same passphrase to access ssh in all the servers I work with, not just your board.
Method 1. Public Key with passphrase
Reference: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Step 1. Add a passphrase to the existing public-private keyfor each client and user combinations
For each user on each client computer or device use the following command to generate a passphrase for the exiting public-private key pair:
ssh-keygen -p
You wil be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you already have a passphrase set, you will be asked to enter the existing passphrase. In that case you have already done this step. Press Ctrl+C to stop the process.
Next you will be prompted to enter a new passphrase. Do not hit Enter! Enter a long and difficult to guess passphrase that is easy to remember. You will be asked to re-enter the passphrase.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
Every time you try to login to the ssh server, you will be asked to enter this passphrase. This can be different for the user password of the ssh server. Each user can have their own passphrase. If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client. She can choose different passphrase for different clients.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if it works
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will be prompted to enter the passphrase you created in step 2. This is not the user password you were asked in step 3.
If you see the prompt to enter the user password, then something is not right. Do not proceed to the next step, until you get this working.
Step 4. Disable password based login
Once each user and their respective client devices have their own public-private key pairs and respective passphrases of their choice, you won't need the password based login. It is best to disable this method. Keeping it enabled will allow anyone without the public-private key pair to try to guess the password of the user@board-ip.
In the ssh server, the board, edit the file /etc/ssh/sshd_config and change:
#PasswordAuthentication yes
to read:
PasswordAuthentication no
Note, the # is not there in the second line and the yes is now no.
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
It is done. The passphrase is chached in the client probably by Gnome-Keyring until the user logs out of the local computer. Thus, the phass-phrase is asked only once per session.
What comes next is another alternative. You need to do either 1 or 2.
Method 2. Public key and user password both required
Reference: https://security.stackexchange.com/questions/17931/possible-to-use-both-private-key-and-password-authentication-for-ssh-login
Step 1. Remove passphrase from Private key if present, for each client and user combinations
For each user on each client computer or device use the following command to generate the public-private key pair:
ssh-keygen -p
You will be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you have an existing passphrase you will be asked to enter it. If you don't get prompted for existing passphrase, you are done. Press Ctrl+C to stop the process.
Otherwise enter the existing passphrase and continue.
Next you will be prompted to enter a passphrase. Hit Enter twice to remove the existing passphrase from the private key.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if public keys are being used
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will not be prompted to enter any password or passphrase. This is normal. This shows that the public key is properly installed in the ssh server (the board) and it is working. We will change the setting so that it asks for the password again in the next step.
Step 4. Setup for both public key and password
Login to the ssh server (the board) and edit the /etc/ssh/sshd_config file. Add the following line in the file:
AuthenticationMethods publickey,password
Warning: Make sure the the PasswordAuthentication looks like:
#PasswordAuthentication yes
This is the default behavior. You may choose to keep or remove the # in the beginning. However, if this setting is set to no along with the line you just added, then nobody will be able to login to the server using ssh. If you get locked out, you will have to physically go to the remote server, hook it up to keyboard, monitor, etc. and login locally and edit this file to fix the problem.
End Warning
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
Step 5. Test breaking in
Find a new computer or login to the client computer using a new username, say user2. This user should not have any public-private key pairs in his /home/$USER/.ssh/ folder. We will pretend that user2 is the hacker who has somehow found out the password of user@board_ip and try to ssh into that system.
Enter as user2, from the client computer:
ssh user@board_ip
If you can login with just the password, then it did not work. Anyone who has the password or can guess it, can login to the board. They do not need the key.
If you get a permission denied and login fails, then the double authentication of public key and password works.
Hope this helps
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
add a comment |
The issue is that ~/.ssh/id_rsa is the default home for an SSH public key in Ubuntu. Therefore you don't have to include -i ~/.ssh/id_rsa in your SSH command after the key exchange has happened, to use the id_rsa keypair.
To avoid this behaviour create the SSH keypair with a different name, then it will only be used when you specify it with the -i option.
Example:
If you create the key with the name user_ssh_rsa in user's home directory:
ssh-keygen -t rsa -f ~/.ssh/user_ssh_rsa
Then exchange the key with the remote server, entering the password for the user on the remote system when prompted:
ssh-copy-id -i ~/.ssh/user_ssh_rsa user@board_ip
Logging in with:
ssh -i ~/.ssh/user_ssh_rsa user@board_ip
Will login without prompting for password, as it's using the newly created key.
Using:
ssh -user@board_ip
Will prompt for the password, as the keypair is not found automatically.
This does depend on having removed the already shared key at ~/.ssh/id_rsa
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
1
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1019999%2fkey-based-ssh-login-that-requires-both-key-and-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are two ways to configure ssh to require both a public key and a password or passphrase.
The difference between the password and the passphrase:
The password in this context is the password assigned to the user in the server computer (the board). If the board has only one user account, then it will have only one password. If the board has multiple user accounts, the should have their unique passwords.
The passphrase is linked to the private key in the client (local) computer, not to the remote server (board) computer. Thus, if you use two different client computers of devices to ssh from, then you will have to create a passphrases for the private keys stored in each local computer. Similarly, if two different users need to ssh to the server (board) from their own respective local computers, they will need their own private-public key pairs and own passphrase to unlock their respective private keys.
For example, say you and I need to ssh to the save server computer (the board) from our own laptops. You will have your own private key and a passphrase for that private key. I will have my own private key and its passphrase. The upshot of this arrangement is, I can change the passphrase of my private key any time without telling you, or changing anything to the server computer (the board). I can even remove the passphrase from my private key without telling you.
The other scenario is, if I have multiple servers to ssh to and if I use the same private key to authenticate myself to all the servers, I will need to use the same passphrase to access ssh in all the servers I work with, not just your board.
Method 1. Public Key with passphrase
Reference: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Step 1. Add a passphrase to the existing public-private keyfor each client and user combinations
For each user on each client computer or device use the following command to generate a passphrase for the exiting public-private key pair:
ssh-keygen -p
You wil be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you already have a passphrase set, you will be asked to enter the existing passphrase. In that case you have already done this step. Press Ctrl+C to stop the process.
Next you will be prompted to enter a new passphrase. Do not hit Enter! Enter a long and difficult to guess passphrase that is easy to remember. You will be asked to re-enter the passphrase.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
Every time you try to login to the ssh server, you will be asked to enter this passphrase. This can be different for the user password of the ssh server. Each user can have their own passphrase. If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client. She can choose different passphrase for different clients.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if it works
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will be prompted to enter the passphrase you created in step 2. This is not the user password you were asked in step 3.
If you see the prompt to enter the user password, then something is not right. Do not proceed to the next step, until you get this working.
Step 4. Disable password based login
Once each user and their respective client devices have their own public-private key pairs and respective passphrases of their choice, you won't need the password based login. It is best to disable this method. Keeping it enabled will allow anyone without the public-private key pair to try to guess the password of the user@board-ip.
In the ssh server, the board, edit the file /etc/ssh/sshd_config and change:
#PasswordAuthentication yes
to read:
PasswordAuthentication no
Note, the # is not there in the second line and the yes is now no.
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
It is done. The passphrase is chached in the client probably by Gnome-Keyring until the user logs out of the local computer. Thus, the phass-phrase is asked only once per session.
What comes next is another alternative. You need to do either 1 or 2.
Method 2. Public key and user password both required
Reference: https://security.stackexchange.com/questions/17931/possible-to-use-both-private-key-and-password-authentication-for-ssh-login
Step 1. Remove passphrase from Private key if present, for each client and user combinations
For each user on each client computer or device use the following command to generate the public-private key pair:
ssh-keygen -p
You will be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you have an existing passphrase you will be asked to enter it. If you don't get prompted for existing passphrase, you are done. Press Ctrl+C to stop the process.
Otherwise enter the existing passphrase and continue.
Next you will be prompted to enter a passphrase. Hit Enter twice to remove the existing passphrase from the private key.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if public keys are being used
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will not be prompted to enter any password or passphrase. This is normal. This shows that the public key is properly installed in the ssh server (the board) and it is working. We will change the setting so that it asks for the password again in the next step.
Step 4. Setup for both public key and password
Login to the ssh server (the board) and edit the /etc/ssh/sshd_config file. Add the following line in the file:
AuthenticationMethods publickey,password
Warning: Make sure the the PasswordAuthentication looks like:
#PasswordAuthentication yes
This is the default behavior. You may choose to keep or remove the # in the beginning. However, if this setting is set to no along with the line you just added, then nobody will be able to login to the server using ssh. If you get locked out, you will have to physically go to the remote server, hook it up to keyboard, monitor, etc. and login locally and edit this file to fix the problem.
End Warning
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
Step 5. Test breaking in
Find a new computer or login to the client computer using a new username, say user2. This user should not have any public-private key pairs in his /home/$USER/.ssh/ folder. We will pretend that user2 is the hacker who has somehow found out the password of user@board_ip and try to ssh into that system.
Enter as user2, from the client computer:
ssh user@board_ip
If you can login with just the password, then it did not work. Anyone who has the password or can guess it, can login to the board. They do not need the key.
If you get a permission denied and login fails, then the double authentication of public key and password works.
Hope this helps
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
add a comment |
There are two ways to configure ssh to require both a public key and a password or passphrase.
The difference between the password and the passphrase:
The password in this context is the password assigned to the user in the server computer (the board). If the board has only one user account, then it will have only one password. If the board has multiple user accounts, the should have their unique passwords.
The passphrase is linked to the private key in the client (local) computer, not to the remote server (board) computer. Thus, if you use two different client computers of devices to ssh from, then you will have to create a passphrases for the private keys stored in each local computer. Similarly, if two different users need to ssh to the server (board) from their own respective local computers, they will need their own private-public key pairs and own passphrase to unlock their respective private keys.
For example, say you and I need to ssh to the save server computer (the board) from our own laptops. You will have your own private key and a passphrase for that private key. I will have my own private key and its passphrase. The upshot of this arrangement is, I can change the passphrase of my private key any time without telling you, or changing anything to the server computer (the board). I can even remove the passphrase from my private key without telling you.
The other scenario is, if I have multiple servers to ssh to and if I use the same private key to authenticate myself to all the servers, I will need to use the same passphrase to access ssh in all the servers I work with, not just your board.
Method 1. Public Key with passphrase
Reference: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Step 1. Add a passphrase to the existing public-private keyfor each client and user combinations
For each user on each client computer or device use the following command to generate a passphrase for the exiting public-private key pair:
ssh-keygen -p
You wil be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you already have a passphrase set, you will be asked to enter the existing passphrase. In that case you have already done this step. Press Ctrl+C to stop the process.
Next you will be prompted to enter a new passphrase. Do not hit Enter! Enter a long and difficult to guess passphrase that is easy to remember. You will be asked to re-enter the passphrase.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
Every time you try to login to the ssh server, you will be asked to enter this passphrase. This can be different for the user password of the ssh server. Each user can have their own passphrase. If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client. She can choose different passphrase for different clients.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if it works
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will be prompted to enter the passphrase you created in step 2. This is not the user password you were asked in step 3.
If you see the prompt to enter the user password, then something is not right. Do not proceed to the next step, until you get this working.
Step 4. Disable password based login
Once each user and their respective client devices have their own public-private key pairs and respective passphrases of their choice, you won't need the password based login. It is best to disable this method. Keeping it enabled will allow anyone without the public-private key pair to try to guess the password of the user@board-ip.
In the ssh server, the board, edit the file /etc/ssh/sshd_config and change:
#PasswordAuthentication yes
to read:
PasswordAuthentication no
Note, the # is not there in the second line and the yes is now no.
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
It is done. The passphrase is chached in the client probably by Gnome-Keyring until the user logs out of the local computer. Thus, the phass-phrase is asked only once per session.
What comes next is another alternative. You need to do either 1 or 2.
Method 2. Public key and user password both required
Reference: https://security.stackexchange.com/questions/17931/possible-to-use-both-private-key-and-password-authentication-for-ssh-login
Step 1. Remove passphrase from Private key if present, for each client and user combinations
For each user on each client computer or device use the following command to generate the public-private key pair:
ssh-keygen -p
You will be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you have an existing passphrase you will be asked to enter it. If you don't get prompted for existing passphrase, you are done. Press Ctrl+C to stop the process.
Otherwise enter the existing passphrase and continue.
Next you will be prompted to enter a passphrase. Hit Enter twice to remove the existing passphrase from the private key.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if public keys are being used
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will not be prompted to enter any password or passphrase. This is normal. This shows that the public key is properly installed in the ssh server (the board) and it is working. We will change the setting so that it asks for the password again in the next step.
Step 4. Setup for both public key and password
Login to the ssh server (the board) and edit the /etc/ssh/sshd_config file. Add the following line in the file:
AuthenticationMethods publickey,password
Warning: Make sure the the PasswordAuthentication looks like:
#PasswordAuthentication yes
This is the default behavior. You may choose to keep or remove the # in the beginning. However, if this setting is set to no along with the line you just added, then nobody will be able to login to the server using ssh. If you get locked out, you will have to physically go to the remote server, hook it up to keyboard, monitor, etc. and login locally and edit this file to fix the problem.
End Warning
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
Step 5. Test breaking in
Find a new computer or login to the client computer using a new username, say user2. This user should not have any public-private key pairs in his /home/$USER/.ssh/ folder. We will pretend that user2 is the hacker who has somehow found out the password of user@board_ip and try to ssh into that system.
Enter as user2, from the client computer:
ssh user@board_ip
If you can login with just the password, then it did not work. Anyone who has the password or can guess it, can login to the board. They do not need the key.
If you get a permission denied and login fails, then the double authentication of public key and password works.
Hope this helps
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
add a comment |
There are two ways to configure ssh to require both a public key and a password or passphrase.
The difference between the password and the passphrase:
The password in this context is the password assigned to the user in the server computer (the board). If the board has only one user account, then it will have only one password. If the board has multiple user accounts, the should have their unique passwords.
The passphrase is linked to the private key in the client (local) computer, not to the remote server (board) computer. Thus, if you use two different client computers of devices to ssh from, then you will have to create a passphrases for the private keys stored in each local computer. Similarly, if two different users need to ssh to the server (board) from their own respective local computers, they will need their own private-public key pairs and own passphrase to unlock their respective private keys.
For example, say you and I need to ssh to the save server computer (the board) from our own laptops. You will have your own private key and a passphrase for that private key. I will have my own private key and its passphrase. The upshot of this arrangement is, I can change the passphrase of my private key any time without telling you, or changing anything to the server computer (the board). I can even remove the passphrase from my private key without telling you.
The other scenario is, if I have multiple servers to ssh to and if I use the same private key to authenticate myself to all the servers, I will need to use the same passphrase to access ssh in all the servers I work with, not just your board.
Method 1. Public Key with passphrase
Reference: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Step 1. Add a passphrase to the existing public-private keyfor each client and user combinations
For each user on each client computer or device use the following command to generate a passphrase for the exiting public-private key pair:
ssh-keygen -p
You wil be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you already have a passphrase set, you will be asked to enter the existing passphrase. In that case you have already done this step. Press Ctrl+C to stop the process.
Next you will be prompted to enter a new passphrase. Do not hit Enter! Enter a long and difficult to guess passphrase that is easy to remember. You will be asked to re-enter the passphrase.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
Every time you try to login to the ssh server, you will be asked to enter this passphrase. This can be different for the user password of the ssh server. Each user can have their own passphrase. If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client. She can choose different passphrase for different clients.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if it works
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will be prompted to enter the passphrase you created in step 2. This is not the user password you were asked in step 3.
If you see the prompt to enter the user password, then something is not right. Do not proceed to the next step, until you get this working.
Step 4. Disable password based login
Once each user and their respective client devices have their own public-private key pairs and respective passphrases of their choice, you won't need the password based login. It is best to disable this method. Keeping it enabled will allow anyone without the public-private key pair to try to guess the password of the user@board-ip.
In the ssh server, the board, edit the file /etc/ssh/sshd_config and change:
#PasswordAuthentication yes
to read:
PasswordAuthentication no
Note, the # is not there in the second line and the yes is now no.
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
It is done. The passphrase is chached in the client probably by Gnome-Keyring until the user logs out of the local computer. Thus, the phass-phrase is asked only once per session.
What comes next is another alternative. You need to do either 1 or 2.
Method 2. Public key and user password both required
Reference: https://security.stackexchange.com/questions/17931/possible-to-use-both-private-key-and-password-authentication-for-ssh-login
Step 1. Remove passphrase from Private key if present, for each client and user combinations
For each user on each client computer or device use the following command to generate the public-private key pair:
ssh-keygen -p
You will be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you have an existing passphrase you will be asked to enter it. If you don't get prompted for existing passphrase, you are done. Press Ctrl+C to stop the process.
Otherwise enter the existing passphrase and continue.
Next you will be prompted to enter a passphrase. Hit Enter twice to remove the existing passphrase from the private key.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if public keys are being used
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will not be prompted to enter any password or passphrase. This is normal. This shows that the public key is properly installed in the ssh server (the board) and it is working. We will change the setting so that it asks for the password again in the next step.
Step 4. Setup for both public key and password
Login to the ssh server (the board) and edit the /etc/ssh/sshd_config file. Add the following line in the file:
AuthenticationMethods publickey,password
Warning: Make sure the the PasswordAuthentication looks like:
#PasswordAuthentication yes
This is the default behavior. You may choose to keep or remove the # in the beginning. However, if this setting is set to no along with the line you just added, then nobody will be able to login to the server using ssh. If you get locked out, you will have to physically go to the remote server, hook it up to keyboard, monitor, etc. and login locally and edit this file to fix the problem.
End Warning
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
Step 5. Test breaking in
Find a new computer or login to the client computer using a new username, say user2. This user should not have any public-private key pairs in his /home/$USER/.ssh/ folder. We will pretend that user2 is the hacker who has somehow found out the password of user@board_ip and try to ssh into that system.
Enter as user2, from the client computer:
ssh user@board_ip
If you can login with just the password, then it did not work. Anyone who has the password or can guess it, can login to the board. They do not need the key.
If you get a permission denied and login fails, then the double authentication of public key and password works.
Hope this helps
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
There are two ways to configure ssh to require both a public key and a password or passphrase.
The difference between the password and the passphrase:
The password in this context is the password assigned to the user in the server computer (the board). If the board has only one user account, then it will have only one password. If the board has multiple user accounts, the should have their unique passwords.
The passphrase is linked to the private key in the client (local) computer, not to the remote server (board) computer. Thus, if you use two different client computers of devices to ssh from, then you will have to create a passphrases for the private keys stored in each local computer. Similarly, if two different users need to ssh to the server (board) from their own respective local computers, they will need their own private-public key pairs and own passphrase to unlock their respective private keys.
For example, say you and I need to ssh to the save server computer (the board) from our own laptops. You will have your own private key and a passphrase for that private key. I will have my own private key and its passphrase. The upshot of this arrangement is, I can change the passphrase of my private key any time without telling you, or changing anything to the server computer (the board). I can even remove the passphrase from my private key without telling you.
The other scenario is, if I have multiple servers to ssh to and if I use the same private key to authenticate myself to all the servers, I will need to use the same passphrase to access ssh in all the servers I work with, not just your board.
Method 1. Public Key with passphrase
Reference: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Step 1. Add a passphrase to the existing public-private keyfor each client and user combinations
For each user on each client computer or device use the following command to generate a passphrase for the exiting public-private key pair:
ssh-keygen -p
You wil be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you already have a passphrase set, you will be asked to enter the existing passphrase. In that case you have already done this step. Press Ctrl+C to stop the process.
Next you will be prompted to enter a new passphrase. Do not hit Enter! Enter a long and difficult to guess passphrase that is easy to remember. You will be asked to re-enter the passphrase.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
Every time you try to login to the ssh server, you will be asked to enter this passphrase. This can be different for the user password of the ssh server. Each user can have their own passphrase. If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client. She can choose different passphrase for different clients.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if it works
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will be prompted to enter the passphrase you created in step 2. This is not the user password you were asked in step 3.
If you see the prompt to enter the user password, then something is not right. Do not proceed to the next step, until you get this working.
Step 4. Disable password based login
Once each user and their respective client devices have their own public-private key pairs and respective passphrases of their choice, you won't need the password based login. It is best to disable this method. Keeping it enabled will allow anyone without the public-private key pair to try to guess the password of the user@board-ip.
In the ssh server, the board, edit the file /etc/ssh/sshd_config and change:
#PasswordAuthentication yes
to read:
PasswordAuthentication no
Note, the # is not there in the second line and the yes is now no.
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
It is done. The passphrase is chached in the client probably by Gnome-Keyring until the user logs out of the local computer. Thus, the phass-phrase is asked only once per session.
What comes next is another alternative. You need to do either 1 or 2.
Method 2. Public key and user password both required
Reference: https://security.stackexchange.com/questions/17931/possible-to-use-both-private-key-and-password-authentication-for-ssh-login
Step 1. Remove passphrase from Private key if present, for each client and user combinations
For each user on each client computer or device use the following command to generate the public-private key pair:
ssh-keygen -p
You will be prompted for the the location where to keep the files. Hit enter to accept the default location.
If you have an existing passphrase you will be asked to enter it. If you don't get prompted for existing passphrase, you are done. Press Ctrl+C to stop the process.
Otherwise enter the existing passphrase and continue.
Next you will be prompted to enter a passphrase. Hit Enter twice to remove the existing passphrase from the private key.
If you don't have an existing public-private key pair, use the following command to generate it. You will be prompted to add a passphrase if you need one:
ssh-keygen -t rsa
If an user needs to login from different clients (laptop, phone, etc.) she will need to repeat this process for each client.
Step 2. Copy the public key to the server only if the key is new
In your client computer enter:
ssh-copy-id -i ~/.ssh/id_rsa user@board_ip
It will ask for the password of the user in the remote server. Remember, password based login must be enabled for this to work.
Repeat for all the users and all client devices.
Step 3. Test if public keys are being used
Try to login to the server by entering:
ssh user@board_ip
If all goes well, you will not be prompted to enter any password or passphrase. This is normal. This shows that the public key is properly installed in the ssh server (the board) and it is working. We will change the setting so that it asks for the password again in the next step.
Step 4. Setup for both public key and password
Login to the ssh server (the board) and edit the /etc/ssh/sshd_config file. Add the following line in the file:
AuthenticationMethods publickey,password
Warning: Make sure the the PasswordAuthentication looks like:
#PasswordAuthentication yes
This is the default behavior. You may choose to keep or remove the # in the beginning. However, if this setting is set to no along with the line you just added, then nobody will be able to login to the server using ssh. If you get locked out, you will have to physically go to the remote server, hook it up to keyboard, monitor, etc. and login locally and edit this file to fix the problem.
End Warning
Restart the ssh service in the server by:
sudo service ssh restart
If this does not work, reboot the board.
Step 5. Test breaking in
Find a new computer or login to the client computer using a new username, say user2. This user should not have any public-private key pairs in his /home/$USER/.ssh/ folder. We will pretend that user2 is the hacker who has somehow found out the password of user@board_ip and try to ssh into that system.
Enter as user2, from the client computer:
ssh user@board_ip
If you can login with just the password, then it did not work. Anyone who has the password or can guess it, can login to the board. They do not need the key.
If you get a permission denied and login fails, then the double authentication of public key and password works.
Hope this helps
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
edited Mar 30 '18 at 15:17
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
answered Mar 28 '18 at 20:48
user68186user68186
17k84970
17k84970
add a comment |
add a comment |
The issue is that ~/.ssh/id_rsa is the default home for an SSH public key in Ubuntu. Therefore you don't have to include -i ~/.ssh/id_rsa in your SSH command after the key exchange has happened, to use the id_rsa keypair.
To avoid this behaviour create the SSH keypair with a different name, then it will only be used when you specify it with the -i option.
Example:
If you create the key with the name user_ssh_rsa in user's home directory:
ssh-keygen -t rsa -f ~/.ssh/user_ssh_rsa
Then exchange the key with the remote server, entering the password for the user on the remote system when prompted:
ssh-copy-id -i ~/.ssh/user_ssh_rsa user@board_ip
Logging in with:
ssh -i ~/.ssh/user_ssh_rsa user@board_ip
Will login without prompting for password, as it's using the newly created key.
Using:
ssh -user@board_ip
Will prompt for the password, as the keypair is not found automatically.
This does depend on having removed the already shared key at ~/.ssh/id_rsa
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
1
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
add a comment |
The issue is that ~/.ssh/id_rsa is the default home for an SSH public key in Ubuntu. Therefore you don't have to include -i ~/.ssh/id_rsa in your SSH command after the key exchange has happened, to use the id_rsa keypair.
To avoid this behaviour create the SSH keypair with a different name, then it will only be used when you specify it with the -i option.
Example:
If you create the key with the name user_ssh_rsa in user's home directory:
ssh-keygen -t rsa -f ~/.ssh/user_ssh_rsa
Then exchange the key with the remote server, entering the password for the user on the remote system when prompted:
ssh-copy-id -i ~/.ssh/user_ssh_rsa user@board_ip
Logging in with:
ssh -i ~/.ssh/user_ssh_rsa user@board_ip
Will login without prompting for password, as it's using the newly created key.
Using:
ssh -user@board_ip
Will prompt for the password, as the keypair is not found automatically.
This does depend on having removed the already shared key at ~/.ssh/id_rsa
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
1
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
add a comment |
The issue is that ~/.ssh/id_rsa is the default home for an SSH public key in Ubuntu. Therefore you don't have to include -i ~/.ssh/id_rsa in your SSH command after the key exchange has happened, to use the id_rsa keypair.
To avoid this behaviour create the SSH keypair with a different name, then it will only be used when you specify it with the -i option.
Example:
If you create the key with the name user_ssh_rsa in user's home directory:
ssh-keygen -t rsa -f ~/.ssh/user_ssh_rsa
Then exchange the key with the remote server, entering the password for the user on the remote system when prompted:
ssh-copy-id -i ~/.ssh/user_ssh_rsa user@board_ip
Logging in with:
ssh -i ~/.ssh/user_ssh_rsa user@board_ip
Will login without prompting for password, as it's using the newly created key.
Using:
ssh -user@board_ip
Will prompt for the password, as the keypair is not found automatically.
This does depend on having removed the already shared key at ~/.ssh/id_rsa
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
The issue is that ~/.ssh/id_rsa is the default home for an SSH public key in Ubuntu. Therefore you don't have to include -i ~/.ssh/id_rsa in your SSH command after the key exchange has happened, to use the id_rsa keypair.
To avoid this behaviour create the SSH keypair with a different name, then it will only be used when you specify it with the -i option.
Example:
If you create the key with the name user_ssh_rsa in user's home directory:
ssh-keygen -t rsa -f ~/.ssh/user_ssh_rsa
Then exchange the key with the remote server, entering the password for the user on the remote system when prompted:
ssh-copy-id -i ~/.ssh/user_ssh_rsa user@board_ip
Logging in with:
ssh -i ~/.ssh/user_ssh_rsa user@board_ip
Will login without prompting for password, as it's using the newly created key.
Using:
ssh -user@board_ip
Will prompt for the password, as the keypair is not found automatically.
This does depend on having removed the already shared key at ~/.ssh/id_rsa
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
edited Mar 28 '18 at 16:37
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
answered Mar 28 '18 at 15:07
ArronicalArronical
13.8k85093
13.8k85093
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
1
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
add a comment |
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
1
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
I tried with both options, first I rename id_rsa and second rename and change location of id_rsa and also delete permanently id_rsa from ~/.ssh/ location, but same result. ssh allow access without key and password. I want security in every ssh login attempt.
– Tejas Virpariya
Mar 28 '18 at 18:29
1
1
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
Did you remove id_rsa and id_rsa.pub? Otherwise it must be an ssh-agent caching issue.
– Arronical
Mar 29 '18 at 8:22
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I removed private key but didn't touch public key.
– Tejas Virpariya
Mar 29 '18 at 11:26
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
I think you'd need to remove both.
– Arronical
Mar 29 '18 at 11:38
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1019999%2fkey-based-ssh-login-that-requires-both-key-and-password%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
It sounds more like the credentials are being cached by your ssh agent than a mistake in the configuration
– steeldriver
Mar 28 '18 at 15:08
@steeldriver post that as an answer
– Panther
Mar 28 '18 at 15:15
@user68186 : As per requirement of project for more security, need key and password in every ssh attempt. first time for any reason user login and logout then some one use this system and try to login at that time for security password and key must require.
– Tejas Virpariya
Mar 28 '18 at 18:36
The "problem" you are having is that ssh-agent is storing the key and password. see askubuntu.com/questions/737251/… and similar. ssh and ssh-server are functioning normal this is not a configuration problem.
– Panther
Mar 29 '18 at 1:23