Is there any way to configure OpenSSH (/etc/ssh/sshd_config
) server to allow private keys necessarily with passphrase?
Ssh – How to limit connections to OpenSSH server to using private keys necessarily with passphrase
opensshSecurityssh
Related Solutions
You need your SSH public key and you will need your ssh private key. Keys can be generated with ssh-keygen
.
The private key must be kept on Server 1 and the public key must be stored on Server 2.
This is completly described in the manpage of openssh, so I will quote a lot of it. You should read the section 'Authentication'. Also the openSSH manual should be really helpful: http://www.openssh.org/manual.html
Please be careful with ssh because this affects the security of your server.
From man ssh
:
~/.ssh/identity
~/.ssh/id_dsa
~/.ssh/id_rsa
Contains the private key for authentication. These files contain
sensitive data and should be readable by the user but not acces-
sible by others (read/write/execute). ssh will simply ignore a
private key file if it is accessible by others. It is possible
to specify a passphrase when generating the key which will be
used to encrypt the sensitive part of this file using 3DES.
~/.ssh/identity.pub
~/.ssh/id_dsa.pub
~/.ssh/id_rsa.pub
Contains the public key for authentication. These files are not
sensitive and can (but need not) be readable by anyone.
This means you can store your private key in your home directory in .ssh. Another possibility is to tell ssh via the -i
parameter switch to use a special identity file.
Also from man ssh
:
-i identity_file
Selects a file from which the identity (private key) for RSA or
DSA authentication is read. The default is ~/.ssh/identity for
protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro-
tocol version 2. Identity files may also be specified on a per-
host basis in the configuration file. It is possible to have
multiple -i options (and multiple identities specified in config-
uration files).
This is for the private key. Now you need to introduce your public key on Server 2. Again a quote from man ssh
:
~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in
as this user. The format of this file is described in the
sshd(8) manual page. This file is not highly sensitive, but the
recommended permissions are read/write for the user, and not
accessible by others.
The easiest way to achive that is to copy the file to Server 2 and append it to the authorized_keys file:
scp -p your_pub_key.pub user@host:
ssh user@host
host$ cat id_dsa.pub >> ~/.ssh/authorized_keys
Authorisation via public key must be allowed for the ssh daemon, see man ssh_config
. Usually this can be done by adding the following statement to the config file:
PubkeyAuthentication yes
First off, I usually create a second sshd process with its own configuration file. (sshd -f /etc/ssh/sshd-2222.conf
for instance) or by overriding the configuration on the command-line (sshd -p 2222 -o PasswordAuthentication=no,AllowRoot=no
). This way they share the same keys, etc, but you can override any of the parameters.
Any ideas why this happen?
I have some ideas:
selinux is enabled and is preventing you from using the port to login. This isn't likely, because if the problem were selinux, it wouldn't get that far. Run
selinuxenabled && echo "SELinux enabled" && getenforce
and if it is enabled and enforced,grep sshd /var/log/audit/audit.log
to identify failures. Disable to see if it goes away.PAM is getting in the way. Again, this doesn't seem likely, since PAM doesn't care about what port you use in conjunction with SSH.
/etc/hosts.allow
or/etc/hosts.deny
. Here you can associate port-service-user in any number of combinations. If these files are empty, we have to look elsewhere.Did ssh add some mysterious port number to the key? It's possible. Your logs indicate it is and is not happening. See, for instance:
debug1: Authentication succeeded (publickey). Authenticated to localhost ([127.0.0.1]:5984).
From the changelog in CentOS7:
* Fri Oct 26 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-2 - add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)
OK, so maybe it is selinux.
Best Answer
No, you have little control over how the private keys are configured, and you can't detect / enforce any passphrase requirement on them.
You also can't limit the size of the keys without modifying the OpenSSH source itself (i.e. there is no configuration option to achieve a minimum key length limit).
You can limit the type of public keys accepted using the
PubkeyAcceptedKeyTypes
parameter, but not the length.