using SSH public/private key authentication

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
I want to setup public key auth (where I have to setup a public key in putty) and regular password authentication on top of it, but force public key, so that you need both to log in, and not just one or the other.

All the sites I've read only show how to generate the keys and don't talk about the actual sshd config changes that I'd have to make to do this.

Also I want each user to have their own key pair.

So how do I go about doing this?

As an alternative, is there an easy way to block brute force attacks? I find it retarded that this is not built in. It should be standard in ANY password authentication mechanism. I don't get why nobody uses this, like even big MMORPGs don't. Accounts get hacked all the time because of brute force. 3 attempts, block IP for 30 minutes, that simple...
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
So just public key does not work, or just password does not work. I want both to be required to log in, so that its a two factor authentication.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I understand what forcing both means but it's not really two factor since most people will either set their public key password to nothing or the same as their password and defeat the purpose.
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
Can't I set some kind of password complexity policy? And the public key password is generated by me I think... then I just give them the file.

Though what I might just do is get the sshd source and make it so it blocks IPs after NN tries. Just need to keep track of bad tries in a text file or something. Or I can just lock out the accounts in question, though probably best to just IP block for half an hour or so.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
The public key password is set when you generate the keys so unless you plan on generating the keys for all of your users they get to set their own password. And even then they can just use ssh-keygen to change the password if they don't like it.

Though what I might just do is get the sshd source and make it so it blocks IPs after NN tries

Um or take the much simpler route and just install something like fail2ban...
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
hmm did not realize non root users could actually execute ssh-keygen, thats actually a huge security flaw... regular user could just regenertae the root one, bang, remove that layer of security, then just need to crack password or use that vmsplice flaw (which hopefully the yum update fixed so thats a non issue)

I'll take a look at fail2ban, I was actually considering coding something like this so I can just install on all my servers, but if its already made then bonus. Hopefully its not as tedious as the other ones I found which I gave up on. Taking a look at the docs now. My main concern is brute force so if I can get that issue solved I wont worry about public key (which does not sound all that secure anyway if users can change it)

fail2ban is in yum repository so far this is promissing.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
hmm did not realize non root users could actually execute ssh-keygen, thats actually a huge security flaw... regular user could just regenertae the root one, bang, remove that layer of security, then just need to crack password or use that vmsplice flaw (which hopefully the yum update fixed so thats a non issue)

Uh no. Regular users have to be able to run it to generate their own personal keys and they won't be able to change the daemon's key unless you really f' up the permissions in /etc/ssh.
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
nice got fail2ban working. Just one question, is there a way so it blocks that IP completly instead of by port? Way I look at it if someone is brute forcing its nice that they'll get blocked at the ssh port, but I rather have them blocked totally, ICMP and all of TCP/UDP. I'm even going to be strict enough to block for a full hour.