Ssh – How to limit connections to OpenSSH server to using private keys necessarily with passphrase

opensshSecurityssh

Is there any way to configure OpenSSH (/etc/ssh/sshd_config) server to allow private keys necessarily with passphrase?

Best Answer

No, you have little control over how the private keys are configured, and you can't detect / enforce any passphrase requirement on them.

You also can't limit the size of the keys without modifying the OpenSSH source itself (i.e. there is no configuration option to achieve a minimum key length limit).

You can limit the type of public keys accepted using the PubkeyAcceptedKeyTypes parameter, but not the length.

PubkeyAcceptedKeyTypes

Specifies the key types that will be accepted for public key authentication as a comma-separated pattern list. Alternately if the specified value begins with a `+' character, then the specified key types will be appended to the default set instead of replacing them. The default for this option is:
  ecdsa-sha2-nistp256-cert-v01@openssh.com,
  ecdsa-sha2-nistp384-cert-v01@openssh.com,
  ecdsa-sha2-nistp521-cert-v01@openssh.com,
  ssh-ed25519-cert-v01@openssh.com,
  ssh-rsa-cert-v01@openssh.com,
  ssh-dss-cert-v01@openssh.com,
  ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
  ecdsa-sha2-nistp521,ssh-ed25519,
  ssh-rsa,ssh-dss

Related Solutions

SSH OpenSSH – How to SSH to Remote Server Using a Private Key

You need your SSH public key and you will need your ssh private key. Keys can be generated with ssh-keygen. The private key must be kept on Server 1 and the public key must be stored on Server 2.

This is completly described in the manpage of openssh, so I will quote a lot of it. You should read the section 'Authentication'. Also the openSSH manual should be really helpful: http://www.openssh.org/manual.html

Please be careful with ssh because this affects the security of your server.

From man ssh:

 ~/.ssh/identity
 ~/.ssh/id_dsa
 ~/.ssh/id_rsa
     Contains the private key for authentication.  These files contain
     sensitive data and should be readable by the user but not acces-
     sible by others (read/write/execute).  ssh will simply ignore a
     private key file if it is accessible by others.  It is possible
     to specify a passphrase when generating the key which will be
     used to encrypt the sensitive part of this file using 3DES.

 ~/.ssh/identity.pub
 ~/.ssh/id_dsa.pub
 ~/.ssh/id_rsa.pub
     Contains the public key for authentication.  These files are not
     sensitive and can (but need not) be readable by anyone.

This means you can store your private key in your home directory in .ssh. Another possibility is to tell ssh via the -i parameter switch to use a special identity file. Also from man ssh:

 -i identity_file
     Selects a file from which the identity (private key) for RSA or
     DSA authentication is read.  The default is ~/.ssh/identity for
     protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
     tocol version 2.  Identity files may also be specified on a per-
     host basis in the configuration file.  It is possible to have
     multiple -i options (and multiple identities specified in config-
     uration files).

This is for the private key. Now you need to introduce your public key on Server 2. Again a quote from man ssh:

  ~/.ssh/authorized_keys
         Lists the public keys (RSA/DSA) that can be used for logging in
         as this user.  The format of this file is described in the
         sshd(8) manual page.  This file is not highly sensitive, but the
         recommended permissions are read/write for the user, and not
         accessible by others.

The easiest way to achive that is to copy the file to Server 2 and append it to the authorized_keys file:

scp -p your_pub_key.pub user@host:
ssh user@host
host$ cat id_dsa.pub >> ~/.ssh/authorized_keys

Authorisation via public key must be allowed for the ssh daemon, see man ssh_config. Usually this can be done by adding the following statement to the config file:

PubkeyAuthentication yes

SSH server listening on multiple ports with passwordless access not allowing connections to second port

First off, I usually create a second sshd process with its own configuration file. (sshd -f /etc/ssh/sshd-2222.conf for instance) or by overriding the configuration on the command-line (sshd -p 2222 -o PasswordAuthentication=no,AllowRoot=no). This way they share the same keys, etc, but you can override any of the parameters.

Any ideas why this happen?

I have some ideas:

selinux is enabled and is preventing you from using the port to login. This isn't likely, because if the problem were selinux, it wouldn't get that far. Run selinuxenabled && echo "SELinux enabled" && getenforce and if it is enabled and enforced, grep sshd /var/log/audit/audit.log to identify failures. Disable to see if it goes away.
PAM is getting in the way. Again, this doesn't seem likely, since PAM doesn't care about what port you use in conjunction with SSH.
/etc/hosts.allow or /etc/hosts.deny. Here you can associate port-service-user in any number of combinations. If these files are empty, we have to look elsewhere.
Did ssh add some mysterious port number to the key? It's possible. Your logs indicate it is and is not happening. See, for instance:

debug1: Authentication succeeded (publickey). Authenticated to localhost ([127.0.0.1]:5984).

From the changelog in CentOS7:

* Fri Oct 26 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-2
  - add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)

OK, so maybe it is selinux.

Best Answer

Related Solutions

SSH OpenSSH – How to SSH to Remote Server Using a Private Key

SSH server listening on multiple ports with passwordless access not allowing connections to second port

Related Question