[gentoo-user] SSH login with both key AND password?

[gentoo-user] SSH login with both key AND password?

[Paul Hartman]

Hi,

Normally I'm using SSH with regular password login, and I've read
about generating a keypair and having a password-less connection that
way. Is there a way to require both the key AND a password? Basically
if I put the key in my SSH client at work, I don't want a co-worker to
be able to login to my home PC, or someone to grab my phone, etc.

Is there a way to put a passphrase on the key (seperate from my user
account password)? Maybe that would work... Otherwise I've thought
about having a dummy SSH account and then "su - realuser" to get
access, but that seems kind of messy.

I've always used password login and IP-restricted it, but now I'm
traveling more and never know what IP I might be connecting from, so
using a key seems to be the best plan, or maybesome kind of
portknocking (but that's difficult from restricted ssh environments
such as a phone).

Thanks,
Paul

[gentoo-user] Re: SSH login with both key AND password?

[Nikos Chantziaras]

Paul Hartman wrote:
> Hi,
> 
> Normally I'm using SSH with regular password login, and I've read
> about generating a keypair and having a password-less connection that
> way. Is there a way to require both the key AND a password? Basically
> if I put the key in my SSH client at work, I don't want a co-worker to
> be able to login to my home PC, or someone to grab my phone, etc.
> 
> Is there a way to put a passphrase on the key (seperate from my user
> account password)?

It is.  It's even the default behavior when you create the key (openssh 
will ask you for a password.)

Re: [gentoo-user] Re: SSH login with both key AND password?

[Paul Hartman]

On Wed, Jan 7, 2009 at 5:45 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> Paul Hartman wrote:
>>
>> Hi,
>>
>> Normally I'm using SSH with regular password login, and I've read
>> about generating a keypair and having a password-less connection that
>> way. Is there a way to require both the key AND a password? Basically
>> if I put the key in my SSH client at work, I don't want a co-worker to
>> be able to login to my home PC, or someone to grab my phone, etc.
>>
>> Is there a way to put a passphrase on the key (seperate from my user
>> account password)?
>
> It is.  It's even the default behavior when you create the key (openssh will
> ask you for a password.)

I guess I should have tried before asking! Every HOWTO/tutorial I
googled seemed to really emphasize the "no more password entry!"
aspect of key login. Thanks.

Paul

Re: [gentoo-user] Re: SSH login with both key AND password?

[Norberto Bensa]

On Wednesday January 7 2009 22:01:14 Paul Hartman wrote:
> I guess I should have tried before asking! Every HOWTO/tutorial I
> googled seemed to really emphasize the "no more password entry!"
> aspect of key login. Thanks.

That's right: no more password logins. However, you should (optionaly) lock 
your key with a passphrase.

Regards,
Norberto

Re: [gentoo-user] Re: SSH login with both key AND password?

[Dave Jones]

Norberto Bensa wrote on 08/01/09 01:11:
> On Wednesday January 7 2009 22:01:14 Paul Hartman wrote:
>   
>> I guess I should have tried before asking! Every HOWTO/tutorial I
>> googled seemed to really emphasize the "no more password entry!"
>> aspect of key login. Thanks.
>>     
>
> That's right: no more password logins. However, you should (optionaly) lock 
> your key with a passphrase.
>   
You can use ssh-agent if you want to do a (one-time) unlock of a
passphrase-protected key pair.

`eval ssh-agent` will do the trick nicely, assuming you're on a *nix client.

Cheers, Dave

Re: [gentoo-user] SSH login with both key AND password?

[Dave Jones]

Paul Hartman wrote on 08/01/09 00:28:
> Hi,
>
> Normally I'm using SSH with regular password login, and I've read
> about generating a keypair and having a password-less connection that
> way. Is there a way to require both the key AND a password? Basically
> if I put the key in my SSH client at work, I don't want a co-worker to
> be able to login to my home PC, or someone to grab my phone, etc.
>
> Is there a way to put a passphrase on the key (seperate from my user
> account password)? Maybe that would work... Otherwise I've thought
> about having a dummy SSH account and then "su - realuser" to get
> access, but that seems kind of messy.
>
> I've always used password login and IP-restricted it, but now I'm
> traveling more and never know what IP I might be connecting from, so
> using a key seems to be the best plan, or maybesome kind of
> portknocking (but that's difficult from restricted ssh environments
> such as a phone).
>   
By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase.

If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p

Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client.

Cheers, Dave

Re: [gentoo-user] SSH login with both key AND password?

[Shawn Haggett]

Dave Jones wrote:
> Paul Hartman wrote on 08/01/09 00:28:
>> Hi,
>>
>> Normally I'm using SSH with regular password login, and I've read
>> about generating a keypair and having a password-less connection that
>> way. Is there a way to require both the key AND a password? Basically
>> if I put the key in my SSH client at work, I don't want a co-worker to
>> be able to login to my home PC, or someone to grab my phone, etc.
>>
>> Is there a way to put a passphrase on the key (seperate from my user
>> account password)? Maybe that would work... Otherwise I've thought
>> about having a dummy SSH account and then "su - realuser" to get
>> access, but that seems kind of messy.
>>
>> I've always used password login and IP-restricted it, but now I'm
>> traveling more and never know what IP I might be connecting from, so
>> using a key seems to be the best plan, or maybesome kind of
>> portknocking (but that's difficult from restricted ssh environments
>> such as a phone).
>>   
> By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase.
> 
> If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p
> 
> Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client.
> 
> Cheers, Dave
> 
> 
Other way around, the server (i.e. the machine your logging into) has the public key stored in the authorized_keys file. The client (i.e. the machine your sitting at) has the private key.

So the private key would be sitting on your machine at work, but is in turn encrypted and you need the passphrase to decrypt it.

On another note, ssh-agent has been mentioned, but you might want to take a look at keychain (it's in portage). It's a nice script you can add to your bashrc or similar, it will take car of checking if there's already a running ssh-agent or not, and if not, ask for the password to any private keys and start ssh-agent. I use it on all my machines so on first boot I put in my password, then passwordless access between machines. If an attacker manages to get the key file off disk however, it is still encrypted and not much good to them.

Shawn

[gentoo-user] Problem with resolv.conf

[Hung Dang]

Hi all,
I have a strange problem that the resolv.conf  file  is reset to the
default file every time I reboot my computer.
Does anyone has similar problem before?

Thanks,
Hung

Re: [gentoo-user] Problem with resolv.conf

[KH]

Hung Dang schrieb:
> Hi all,
> I have a strange problem that the resolv.conf  file  is reset to the
> default file every time I reboot my computer.
> Does anyone has similar problem before?
>
> Thanks,
> Hung
>
>   
I had a problem like this when I used vpn. Never solved it so.

kh

Re: [gentoo-user] Problem with resolv.conf

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 408 bytes --]

KH wrote:
> Hung Dang schrieb:
>   
>> Hi all,
>> I have a strange problem that the resolv.conf  file  is reset to the
>> default file every time I reboot my computer.
>> Does anyone has similar problem before?
>>
>> Thanks,
>> Hung
>>
>>   
>>     
> I had a problem like this when I used vpn. Never solved it so.
>
> kh
>
>   
I want to amend my last statement:  dhcpcd *CAN* do this.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Problem with resolv.conf

[Eric Martin]

Hung Dang wrote:
> Hi all,
> I have a strange problem that the resolv.conf  file  is reset to the
> default file every time I reboot my computer.
> Does anyone has similar problem before?
>
> Thanks,
> Hung
>
>   
dhcpcd does this.  Are you running dhcp on the machine?

Re: [gentoo-user] Problem with resolv.conf

[Hung Dang]

Eric Martin wrote:
> Hung Dang wrote:
>> Hi all,
>> I have a strange problem that the resolv.conf  file  is reset to the
>> default file every time I reboot my computer.
>> Does anyone has similar problem before?
>>
>> Thanks,
>> Hung
>>
>>   
> dhcpcd does this.  Are you running dhcp on the machine?
> # Generated by dhcpcd
> # /etc/resolv.conf.head can replace this line

Eric: Thanks for a quick reply.

You are correct. Every time I reboot my machine dhcpcd override
resolv.conf file. I only use dhcpcd in my system and below is the
content of the new resolv.conf

# Generated by dhcpcd
# /etc/resolv.conf.head can replace this line
# /etc/resolv.conf.tail can replace this line


I guest the head and tail of the resolv.conf can be replace by
/etc/resolv.conf.head and /etc/resolv.conf.tail files.
My question is I have several Gentoo machines, how ever this problem
only happen with the new one. Do you have any suggestion for my problem?

Thanks
Hung

Re: [gentoo-user] Problem with resolv.conf

[Redouane Boumghar]

Hi everyone,

If you don't want dhcpcd to overwrite your resolv.conf
then tell it not to configure the DNS.

The configuration can be made through your /etc/conf.d/net file :

config_eth0=( "dhcp" )
dhcp_eth0="nodns nontp nonis"


That's the "nodns" which take care of not touching your resolv.conf
file.

Hope this helps!

Have a nice day, and Happy New year everyone ;)
Red.


On Wed, Jan 07, 2009 at 09:47:39PM -0700, Hung Dang wrote:
> Eric Martin wrote:
> > Hung Dang wrote:
> >> Hi all,
> >> I have a strange problem that the resolv.conf  file  is reset to the
> >> default file every time I reboot my computer.
> >> Does anyone has similar problem before?
> >>
> >> Thanks,
> >> Hung
> >>
> >>   
> > dhcpcd does this.  Are you running dhcp on the machine?
> > # Generated by dhcpcd
> > # /etc/resolv.conf.head can replace this line
> 
> Eric: Thanks for a quick reply.
> 
> You are correct. Every time I reboot my machine dhcpcd override
> resolv.conf file. I only use dhcpcd in my system and below is the
> content of the new resolv.conf
> 
> # Generated by dhcpcd
> # /etc/resolv.conf.head can replace this line
> # /etc/resolv.conf.tail can replace this line
> 
> 
> I guest the head and tail of the resolv.conf can be replace by
> /etc/resolv.conf.head and /etc/resolv.conf.tail files.
> My question is I have several Gentoo machines, how ever this problem
> only happen with the new one. Do you have any suggestion for my problem?
> 
> Thanks
> Hung
> 
> 
> 
> 

[gentoo-user] Re: Problem with resolv.conf

[»Q«]

In <49657ECD.7060608@gmail.com>,
Hung Dang <hungptit@gmail.com> wrote:

> References:
> <58965d8a0901071528u464c7aa7w8cd5bcfab7530c4e@mail.gmail.com>
> <496544CC.5050300@xs4all.nl> <49656893.2040404@podgeweb.com>

> Hi all,
> I have a strange problem that the resolv.conf  file  is reset to the
> default file every time I reboot my computer.
> Does anyone has similar problem before?

I think you're question's been answered.  But in the future, please
don't post new issues by replying to existing threads and changing the
Subject header -- just make a new post.

-- 
»Q«
     Kleeneness is next to Gödelness.

Re: [gentoo-user] Re: Problem with resolv.conf

[Hung Dang]

»Q« wrote:
> In <49657ECD.7060608@gmail.com>,
> Hung Dang <hungptit@gmail.com> wrote:
>
>   
>> References:
>> <58965d8a0901071528u464c7aa7w8cd5bcfab7530c4e@mail.gmail.com>
>> <496544CC.5050300@xs4all.nl> <49656893.2040404@podgeweb.com>
>>     
>
>   
>> Hi all,
>> I have a strange problem that the resolv.conf  file  is reset to the
>> default file every time I reboot my computer.
>> Does anyone has similar problem before?
>>     
>
> I think you're question's been answered.  But in the future, please
> don't post new issues by replying to existing threads and changing the
> Subject header -- just make a new post.
>
>   
Thanks all of you for the help. I found out that I have two internet
connections but only have the dhcp config for eth0 in /etc/conf.d/net.
When I add the
config for eth1 everything went fine :).

Thanks a lot and Happy New Year :)

Hung

Re: [gentoo-user] SSH login with both key AND password?

[Norberto Bensa]

On Wednesday January 7 2009 22:11:56 Dave Jones wrote:
>
> Entering a passphrase encrypts the private part of the key, which you keep
> only on the server. You only need the public part of the key on the client.

Try it the other way: private on the client. Public on the server. 

The private part is what you have: the key.

The public part is what you put on the server: the lock.

You can give the lock to whatever person you want, but only your key will 
unlock it.


Regards,
Norberto

Re: [gentoo-user] SSH login with both key AND password?

[Paul Hartman]

On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones <Dave.Jones@xs4all.nl> wrote:
> Paul Hartman wrote on 08/01/09 00:28:
>> Hi,
>>
>> Normally I'm using SSH with regular password login, and I've read
>> about generating a keypair and having a password-less connection that
>> way. Is there a way to require both the key AND a password? Basically
>> if I put the key in my SSH client at work, I don't want a co-worker to
>> be able to login to my home PC, or someone to grab my phone, etc.
>>
>> Is there a way to put a passphrase on the key (seperate from my user
>> account password)? Maybe that would work... Otherwise I've thought
>> about having a dummy SSH account and then "su - realuser" to get
>> access, but that seems kind of messy.
>>
>> I've always used password login and IP-restricted it, but now I'm
>> traveling more and never know what IP I might be connecting from, so
>> using a key seems to be the best plan, or maybesome kind of
>> portknocking (but that's difficult from restricted ssh environments
>> such as a phone).
>>
> By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase.
>
> If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p
>
> Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client.
>
> Cheers, Dave

It works great. Thanks everyone for your responses!

Paul

Re: [gentoo-user] SSH login with both key AND password?

[Paul Hartman]

On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones <Dave.Jones@xs4all.nl> wrote:
>> Paul Hartman wrote on 08/01/09 00:28:
>>> Hi,
>>>
>>> Normally I'm using SSH with regular password login, and I've read
>>> about generating a keypair and having a password-less connection that
>>> way. Is there a way to require both the key AND a password? Basically
>>> if I put the key in my SSH client at work, I don't want a co-worker to
>>> be able to login to my home PC, or someone to grab my phone, etc.
>>>
>>> Is there a way to put a passphrase on the key (seperate from my user
>>> account password)? Maybe that would work... Otherwise I've thought
>>> about having a dummy SSH account and then "su - realuser" to get
>>> access, but that seems kind of messy.
>>>
>>> I've always used password login and IP-restricted it, but now I'm
>>> traveling more and never know what IP I might be connecting from, so
>>> using a key seems to be the best plan, or maybesome kind of
>>> portknocking (but that's difficult from restricted ssh environments
>>> such as a phone).
>>>
>> By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase.
>>
>> If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p
>>
>> Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client.
>>
>> Cheers, Dave
>
> It works great. Thanks everyone for your responses!
>
> Paul
>

Well, almost great :)

I can't figure out how to get NXclient to connect. It says the key is
corrupt or has a passphrase (which it does). Has anyone used NX with a
key-based SSH with passphrase?

Thanks,
Paul

Re: [gentoo-user] SSH login with both key AND password?

[Paul Hartman]

On Thu, Jan 8, 2009 at 12:12 PM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman
> <paul.hartman+gentoo@gmail.com> wrote:
>> On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones <Dave.Jones@xs4all.nl> wrote:
>>> Paul Hartman wrote on 08/01/09 00:28:
>>>> Hi,
>>>>
>>>> Normally I'm using SSH with regular password login, and I've read
>>>> about generating a keypair and having a password-less connection that
>>>> way. Is there a way to require both the key AND a password? Basically
>>>> if I put the key in my SSH client at work, I don't want a co-worker to
>>>> be able to login to my home PC, or someone to grab my phone, etc.
>>>>
>>>> Is there a way to put a passphrase on the key (seperate from my user
>>>> account password)? Maybe that would work... Otherwise I've thought
>>>> about having a dummy SSH account and then "su - realuser" to get
>>>> access, but that seems kind of messy.
>>>>
>>>> I've always used password login and IP-restricted it, but now I'm
>>>> traveling more and never know what IP I might be connecting from, so
>>>> using a key seems to be the best plan, or maybesome kind of
>>>> portknocking (but that's difficult from restricted ssh environments
>>>> such as a phone).
>>>>
>>> By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase.
>>>
>>> If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p
>>>
>>> Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client.
>>>
>>> Cheers, Dave
>>
>> It works great. Thanks everyone for your responses!
>>
>> Paul
>>
>
> Well, almost great :)
>
> I can't figure out how to get NXclient to connect. It says the key is
> corrupt or has a passphrase (which it does). Has anyone used NX with a
> key-based SSH with passphrase?
>
> Thanks,
> Paul

I figured it out. It was a two-part solution:

1) password logins must be enabled to use system authentication with
NX. Since I don't want password logins, I had to use NX's internal
user and password database instead. This requires maintaining separate
passwords for NX...

2) the "nx" user is locked and passwordless; I had to give it a
password in order to unlock it.

After doing that, NX now works!

*mental note: if I ever want to revoke someone's access to my machine
or change their password, I must remember to check for SSH keys & NX
user accounts (which are actually SSH keys as well) in addition to
changing the password on their system account.

Thanks again,
Paul

Re: [gentoo-user] SSH login with both key AND password?

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 2986 bytes --]

Paul Hartman wrote:
> On Thu, Jan 8, 2009 at 12:12 PM, Paul Hartman
> <paul.hartman+gentoo@gmail.com> wrote:
>   
>> On Thu, Jan 8, 2009 at 10:57 AM, Paul Hartman
>> <paul.hartman+gentoo@gmail.com> wrote:
>>     
>>> On Wed, Jan 7, 2009 at 6:11 PM, Dave Jones <Dave.Jones@xs4all.nl> wrote:
>>>       
>>>> Paul Hartman wrote on 08/01/09 00:28:
>>>>         
>>>>> Hi,
>>>>>
>>>>> Normally I'm using SSH with regular password login, and I've read
>>>>> about generating a keypair and having a password-less connection that
>>>>> way. Is there a way to require both the key AND a password? Basically
>>>>> if I put the key in my SSH client at work, I don't want a co-worker to
>>>>> be able to login to my home PC, or someone to grab my phone, etc.
>>>>>
>>>>> Is there a way to put a passphrase on the key (seperate from my user
>>>>> account password)? Maybe that would work... Otherwise I've thought
>>>>> about having a dummy SSH account and then "su - realuser" to get
>>>>> access, but that seems kind of messy.
>>>>>
>>>>> I've always used password login and IP-restricted it, but now I'm
>>>>> traveling more and never know what IP I might be connecting from, so
>>>>> using a key seems to be the best plan, or maybesome kind of
>>>>> portknocking (but that's difficult from restricted ssh environments
>>>>> such as a phone).
>>>>>
>>>>>           
>>>> By default ssh-keygen creates a key pair with a passphrase. It's your choice to enter or omit a passphrase.
>>>>
>>>> If you've generated a key without a passphrase, you can add a passphrase using ssh-keygen -p
>>>>
>>>> Entering a passphrase encrypts the private part of the key, which you keep only on the server. You only need the public part of the key on the client.
>>>>
>>>> Cheers, Dave
>>>>         
>>> It works great. Thanks everyone for your responses!
>>>
>>> Paul
>>>
>>>       
>> Well, almost great :)
>>
>> I can't figure out how to get NXclient to connect. It says the key is
>> corrupt or has a passphrase (which it does). Has anyone used NX with a
>> key-based SSH with passphrase?
>>
>> Thanks,
>> Paul
>>     
>
> I figured it out. It was a two-part solution:
>
> 1) password logins must be enabled to use system authentication with
> NX. Since I don't want password logins, I had to use NX's internal
> user and password database instead. This requires maintaining separate
> passwords for NX...
>
> 2) the "nx" user is locked and passwordless; I had to give it a
> password in order to unlock it.
>
> After doing that, NX now works!
>
> *mental note: if I ever want to revoke someone's access to my machine
> or change their password, I must remember to check for SSH keys & NX
> user accounts (which are actually SSH keys as well) in addition to
> changing the password on their system account.
>
> Thanks again,
> Paul
>
>   
You could also use ssh-agent to unlock the key if you don't want to use
a null-passphrase key


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]