Find the answer to your Linux question:
Results 1 to 8 of 8
I've looked on google, but I can't seem to figure this out. I have an Ubuntu 10.04 Server. I have ssh set up with private keys, etc, but it only ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2012
    Location
    Utah
    Posts
    25

    ssh, ssh-agent: how to force key passphrase entry each time?


    I've looked on google, but I can't seem to figure this out. I have an Ubuntu 10.04 Server. I have ssh set up with private keys, etc, but it only asks for my key passphrase once in a while.

    I want to force it to ask every time I try to log in to increase security. I know it has something to do with ssh-agent key caching...

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    The server doesnt ask for the private key passphrase, the client does.
    Hence, you cannot force this from server side.

    On the client, calling "ssh-add -d2 or "ssh-add -D" will delete identities from the agent.

    Overall, ssh-agent is very useful as it simplifies machine logins.
    Of course the user needs to be aware what (s)he is doing.

    What I do on external firewalls is to add the google authenticator as a stacked pam module for ssh logins.
    So a user needs to have the private key, a passphrase, a enabled device with the OTP app from google.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Dec 2012
    Location
    Utah
    Posts
    25
    Is it possible then to make the client ask for the password each time? Thank you.

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    Dont start the ssh-agent.
    However, every user with a bit of knowledge of openssh can start it again, so there is no guarantee.

    Can you tell a bit more about the usecase?
    You must always face the curtain with a bow.

  5. #5
    Just Joined!
    Join Date
    Dec 2012
    Location
    Utah
    Posts
    25
    I'm setting up a server. I have several levels of security (port knocking, firewalls, port obscurity, SSH, etc.) I need to access the server remotely from my office. Anyone who walks into my office can press a few keys and get into the server (the commands are buffered in my Terminal window). Since I added keys to SSH, it no longer requires my password. I would feel better if I had to type in the passphrase each time to log in.

    It's more for curiosities sake that I ask.

    How can I prevent ssh-agent from running on startup?

  6. #6
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    Ok, so as this is your workstation and your account you can kill and not use the ssh-agent.
    From now on, ssh will always ask for the passphrase to decrypt your private key.

    To me it seems the server config is fine, even a bit over.
    But the client side and user training needs a lot of attention.

    This "everyone can walk in.. press a few keys and get into the server" part is scary.
    With a few common measures, this isnt so easy.
    - noone but you has root on this workstation.
    - no account/password sharing. Everyone has his/her own acount on this workstation.
    - lock the screen (with password) as soon as you leave the keyboard.
    - encrypt at least your $HOME
    You must always face the curtain with a bow.

  7. #7
    Just Joined!
    Join Date
    Dec 2012
    Location
    Utah
    Posts
    25
    I know the setup is a little much, but my boss is a little paranoid. There's nothing critical on it now, I'm just trying some new things. I personally am not too concerned at this point, but it's good to know for the future. Thanks again!

  8. #8
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    Ok, just for completeness sake and because you mentioned learning/trying new stuff:
    It is good practice to disallow root logins via ssh.
    For designated people, a sudo config is in place that allows escalation to root via the *user's* password.

    So in my setup the following tokens are needed to login via ssh to an external shellbox and escalate to root:
    Login:
    - username
    - private key for the username
    - passphrase for the private key
    - a smartphone, with the google smartphone app configured for the username
    - a password for unlocking the smartphone
    - the TOTP (time based one time password) from the google smartphone app
    Escalation:
    - configured sudo
    - password for the username

    Now, one could go crazy on the server side and stack further pam modules with e.g. fingerprint scanner or smartcards.
    But imho the above setup is already good for most usecases without sacrificing useability too much.

    And yes, useability is also an important part of security.
    Otherwise people
    a) will not use the system or at least loose time logging in.
    b) find ways to circumvent it. (e.g. go through the login procedure once and then run a private sshd. Or tunnel to an unsecured box.)

    Effectively I need one of my laptops or workstations and my smartphone.
    The first login takes a bit of time to enter three pass(words|phrase), but can be done in a few seconds with some practice.
    After the login and with the help of ssh-agent, work is no longer "hindered".

    So to rephrase my first post:
    Unless you want to completely forbid remote shell access, you cannot just rely on server config.
    The client is then part of the security chain too.
    Which means guidelines for hardware, software and people, as well as a awareness for security.
    So: encrypted partitions or $HOME, personalized accounts, screen lock with password, trained personnel.
    You must always face the curtain with a bow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •