Using SSH pass/login auth together with key

Hello,
In a previous topic i did successfuly added to one of my ssh users, a key so he can connect with it with out prompting his accountś password.
Now I want to ask,How can i make it mandatory for this user to use the key and the password of this ssh account ?
I mean that for eg for user :
login : mario
pass : test
he have a key.
I run from my local machine ssh -i  /home/user1/id_dsa marios@grserver.gr
and i get connected instantly with out asking for the password  test

I need this to have maximum security...
any help ?
LVL 2
MaRiOsGRAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chris_calabreseCommented:
SSH doesn't work that way by default. Either you have a key or you have a password. If you want both I suggest getting the source to OpenSSH (openssh.org) and creating this capability. If you make it a setting in sshd.conf the openssh maintainers may put it into the next release for you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaRiOsGRAuthor Commented:
thanx Christ but If i know how to do all these things ,and about programming i would bother to ask.

So there is absolutely no way to use login/pass with also the key authentication ?
chris_calabreseCommented:
No. It's one or the other, not both.
But what you can do is set the keys to have a password needed to unlock them. This is done when the keys are created.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

MaRiOsGRAuthor Commented:
You mean by using a passphrase when the key is generated ?
chris_calabreseCommented:
Yeah.
decoleurCommented:
mario,

OpenSSH provides a series of ways to authenticate but you can only use one at a time, OpenSSH does not provide multiple layers of authentication unless you wrap the ssh authentication in something else like stunnel and I personally have had little success with it.

HTH

-t
decoleurCommented:
OOPs...

I am suffering fropm slow poster today.
MaRiOsGRAuthor Commented:
hm..ok lets say that i have generated a key withoute passphrase,
can I add the passphrase now? or do i have to generate a new key?

chris_calabreseCommented:
You can add a passphrase with ssh-keygen (or whatever you're using). Read the man page for how.
MaRiOsGRAuthor Commented:
decoleur thanx :DDDD
So there isnt anything more secure that that....
the last step is to give acccess to static ips right?
but only 1/20 users have static ips at their homes..
decoleurCommented:
you do not have to restrict the keys to ip addresses, infact if you do and the ip address changes you will be up the creek with out a subnet.

HTH

-t
chris_calabreseCommented:
What is more secure depends on the threat you're trying to defend against, which depends on what kind of site you have and what the connectivity is.

If you're a low-value target on the Internet, your biggest problem is password-guessing attacks, in which case you want to force strong passwords at the OS level (and force them to be changed regularly, lock out after 3 invalid attempts, etc.) and consider only allowing authentication via keys, and not passwords at all.

If you're a high-value target on the Internet, then it's more likely that someone will target one of your users' PC's to steal their keys. In this case you want to educate them to use strong passphrases on their keys and also consider using a two-factor authentication mechanism like SafeWord (SSH has hooks to support this sort of thing).

Another option is not to be on the Internet with SSH at all, but to force connection through a VPN. This way you can have one authentication mechanism for the VPN (like SafeWord) and another for SSH (passwords and/or keys).
MaRiOsGRAuthor Commented:
The servef we are using is for web-hosting purpose.
It runs Plesk and RH EL3.

If i check the logs i see constant aattacks every day from differnet ips
the attacks are attemps to login to ssh with various usernames & pass.

I tried to used VPN  and install freeradius in a way that will authenticate throught the paswords/logins of the shadow file.
But i couldnt make it work.

so the last chance is to make SSH more secure or more complex for some simle hacker to break.

chris_calabreseCommented:
1. Setup SSH and password handling (and the system in general) as per the Center for Internet Security RedHat ES Benchmark (www.cisecurity.org)
2. Allow keys
3. Educate users about the need for passphrases on keys (like send them a one-pager on how to setup a key using ssh-keygen and also using puttygen (Windows)
4. Consider forcing keys-only
MaRiOsGRAuthor Commented:
another question.

all my users are loging in the server in the classic way of login/pass.

I with the help of decoleur installed private key to one of my users,so he can login with the key also.
can I lock down the ability of login in with a login/pass to that specific user only ? ????

(my point is to use keys for all the customers and user the classic way of login/pass for the admins(those u can su to root))
chris_calabreseCommented:
You can do all kinds of user-based restrictions in the sshd.conf file. See the man page.
MaRiOsGRAuthor Commented:
yes but if I change something in the sshd.conf it will affect all the users right ?

I dont want to do anything wrong and be locked out of the server,imagine how my bosses will react to this...(im just a newbie employee..)
MaRiOsGRAuthor Commented:
I mean i want to make changes only to one user, untill im 100% sure of the results.... :/
decoleurCommented:
in the wise words of chris c, read the man page.

i think it is an all or nothing proposition.

you cannot have sshd configured one way for one user and another way for another.
MaRiOsGRAuthor Commented:
ok.....
a last question..
IF....say ..If ..i get locked out by mistake
is there a way for the technicians in teh datacenter to gain access to the box ?
(Im in Greece and the server is on US i think)
decoleurCommented:
a user at the computer should be able to use the terminal on the computer to log in as a user assuming you have KVM access.
decoleurCommented:
your best bet is to get an old box and try doing all this on it, you shouldn't test on a production box. ever.
MaRiOsGRAuthor Commented:
ok thanx
decoleurCommented:
cheers
chris_calabreseCommented:
Oops, I was thinking of the per-host configs. I guess you can't do per-user configs. Maybe you could run a second ssh daemon on a separate port and set that one to allow it and only allow that user.
MaRiOsGRAuthor Commented:
oooooook
decoleurCommented:
mario-

Thanx, but you really should split the points between me and chris, he had some good stuff to contribute on this one.

-t
MaRiOsGRAuthor Commented:
oww I was about to gave it all to Christ , i gave them to u by mistake loooooooooool

I dont know how to split them :PPPPPP tell me
chris_calabreseCommented:
Just click on the Split Points button.

Not sure if you can still do this after you awarded the points. If you can't, open a question in Community Support asking the Experts Exhcnage staff to do it for you.
MaRiOsGRAuthor Commented:
okay i did asked them
MaRiOsGRAuthor Commented:
Ok did it now worked ? :)
decoleurCommented:
yes.

cheers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.