Public key authentication

[initd]

---

Hi everyone!

I'd like to ask one simple question I can't figure out how to solve.

I've set up my public key authentication by generating the public key on my Windows box.

Copied that into /root/.ssh/authorized_keys

Disabled password authentication in /etc/ssh/sshd_config:

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /root/.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Everything's OK, I can login with my generated public key on the server and stuff.

BUT!

What I'd like to do is disable that Login As prompt that appears when someone tries to SSH into my server and tries the username and password:
disable prompt.jpg


Thank you so much for any ideas!

[Irithori]

I donīt think this is possible, because the ssh daemon needs to know in which userīs homedir it has to search for authorized keys and more important: Which user shall be assigned after succesfull login.

If you want to heighten transparancy and security, it might be good to disable root login.
- If a regular user needs to login first, then this user is known. On the contrary: "root" is not neccessarily bound to one person.
- This regular user either needs to know the root pw or be in the sudoers group and provide his/her password.
Which is an additional token in comparision to "just" the right key.

[Irithori]

I just looked at your config.

Code:

AuthorizedKeysFile      /root/.ssh/authorized_keys

This essentially says, any user who wants to login, needs his/her public key in rootsī authorized_keys.

It is possible, but unusual and unflexible.

[initd]

I just looked at your config.

Code:

AuthorizedKeysFile      /root/.ssh/authorized_keys

This essentially says, any user who wants to login, needs his/her public key in rootsī authorized_keys.

It is possible, but unusual and unflexible.

That is correct Irithori. I'm the only user who connects to this server.

Glad to hear it's possible, but how? Just wanna disable that root login prompt.

I'm trying to discourage the hackers. When you see no prompt no nothing you don't even think about hacking and brute forcing.

So? How to disable the login?

[Irithori]

I donīt think this is possible, because the ssh daemon...

It takes a lot more to discourage bad guys

But if you really, *really* want no login, then you would need to:
- get the sourcecode of opensshd
- locate the part, where it asks for the login
- and rewrite it, by using a hardcoded username.
- then compile
- and install to your system
"You have the source, Luke. Use it"


Quite frankly, I wouldnt go that route.

[initd]

It takes a lot more to discourage bad guys

But if you really, *really* want no login, then you would need to:
- get the sourcecode of opensshd
- locate the part, where it asks for the login
- and rewrite it, by using a hardcoded username.
- then compile
- and install to your system
"You have the source, Luke. Use it"


Quite frankly, I wouldnt go that route.

Nah, it's a settings matter. Seen this implemented on a server.

[Irithori]

I just read
Manual Pages: sshd_config
Manual Pages: sshd( 8 )
and I am quite sure, that it is not possible to disable that login prompt.

As noted above, I donīt see, how the right user on the server would be determined, if the server doesnt explicitly request and the client provide it..
But letīs see, maybe someone else knows more.