Find the answer to your Linux question:
Results 1 to 7 of 7
Hi everyone! I'd like to ask one simple question I can't figure out how to solve. I've set up my public key authentication by generating the public key on my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2011
    Posts
    3

    Public key authentication


    Hi everyone!

    I'd like to ask one simple question I can't figure out how to solve.

    I've set up my public key authentication by generating the public key on my Windows box.

    Copied that into /root/.ssh/authorized_keys

    Disabled password authentication in /etc/ssh/sshd_config:

    #Port 22
    #Protocol 2,1
    Protocol 2
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6

    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile /root/.ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication mechanism.
    # Depending on your PAM configuration, this may bypass the setting of
    # PasswordAuthentication, PermitEmptyPasswords, and
    # "PermitRootLogin without-password". If you just want the PAM account and
    # session checks to run without PAM authentication, then enable this but set
    # ChallengeResponseAuthentication=no
    #UsePAM no
    UsePAM yes

    # Accept locale-related environment variables
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none

    # no default banner path
    #Banner /some/path

    # override default of no subsystems
    Subsystem sftp /usr/libexec/openssh/sftp-server
    Everything's OK, I can login with my generated public key on the server and stuff.

    BUT!

    What I'd like to do is disable that Login As prompt that appears when someone tries to SSH into my server and tries the username and password:
    disable prompt.jpg


    Thank you so much for any ideas!

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    I donīt think this is possible, because the ssh daemon needs to know in which userīs homedir it has to search for authorized keys and more important: Which user shall be assigned after succesfull login.

    If you want to heighten transparancy and security, it might be good to disable root login.
    - If a regular user needs to login first, then this user is known. On the contrary: "root" is not neccessarily bound to one person.
    - This regular user either needs to know the root pw or be in the sudoers group and provide his/her password.
    Which is an additional token in comparision to "just" the right key.
    Last edited by Irithori; 06-25-2011 at 05:43 PM.
    You must always face the curtain with a bow.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    I just looked at your config.
    Code:
    AuthorizedKeysFile      /root/.ssh/authorized_keys
    This essentially says, any user who wants to login, needs his/her public key in rootsī authorized_keys.

    It is possible, but unusual and unflexible.
    You must always face the curtain with a bow.

  4. #4
    Just Joined!
    Join Date
    Jun 2011
    Posts
    3
    Quote Originally Posted by Irithori View Post
    I just looked at your config.
    Code:
    AuthorizedKeysFile      /root/.ssh/authorized_keys
    This essentially says, any user who wants to login, needs his/her public key in rootsī authorized_keys.

    It is possible, but unusual and unflexible.
    That is correct Irithori. I'm the only user who connects to this server.

    Glad to hear it's possible, but how? Just wanna disable that root login prompt.

    I'm trying to discourage the hackers. When you see no prompt no nothing you don't even think about hacking and brute forcing.

    So? How to disable the login?

  5. #5
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    Quote Originally Posted by Irithori
    I donīt think this is possible, because the ssh daemon...
    It takes a lot more to discourage bad guys

    But if you really, *really* want no login, then you would need to:
    - get the sourcecode of opensshd
    - locate the part, where it asks for the login
    - and rewrite it, by using a hardcoded username.
    - then compile
    - and install to your system
    "You have the source, Luke. Use it"


    Quite frankly, I wouldnt go that route.
    You must always face the curtain with a bow.

  6. #6
    Just Joined!
    Join Date
    Jun 2011
    Posts
    3
    Quote Originally Posted by Irithori View Post
    It takes a lot more to discourage bad guys

    But if you really, *really* want no login, then you would need to:
    - get the sourcecode of opensshd
    - locate the part, where it asks for the login
    - and rewrite it, by using a hardcoded username.
    - then compile
    - and install to your system
    "You have the source, Luke. Use it"


    Quite frankly, I wouldnt go that route.
    Nah, it's a settings matter. Seen this implemented on a server.

  7. #7
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    I just read
    Manual Pages: sshd_config
    Manual Pages: sshd( 8 )
    and I am quite sure, that it is not possible to disable that login prompt.

    As noted above, I donīt see, how the right user on the server would be determined, if the server doesnt explicitly request and the client provide it..
    But letīs see, maybe someone else knows more.
    You must always face the curtain with a bow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •