[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

[Rashkae]

On 16-10-05 10:10 AM, B.S. wrote:
> I have set up key files for ssh'ing in. key passphrases are empty. ssh
> me at mine takes me straight to a prompt. This is 'good'.
>
> (1) How to be asked for a password once connected?
>
> (i.e. key files limit external access to ssh server [no keyfile, no
> access] - but with an empty passphrase, how to know the user is
> authorized / the key didn't get copied somewhere else / someone else
> isn't using it?) [Ignore proper permissions / file restriction settings
> - assume root is accessing the file.]
>
> Really, I'd like to be asked to log in post ssh passwordless connect,
> and logged out if that fails.
>
>

The usual way to add a password to ssh login is to add the password to 
the Keyfile.  If the private key gets copied, it can't be used unless 
someone knows (or, theoretically, brute forces) the password.

However, If you really want to add password login to your ssh session, 
the only way I can think of to do this is to tunnel a network port 
forward, then login in again.

The public key that you log in with, (ie, the authorized_key file.) can 
include the no-pty,permitopen="127.0.0.1:22",permitopen="127.0.0.1:23"

Once SSH connection is made and ports are forwarded, you can connect 
again with either ssh or telnet, and log in.  My preference in this 
example would be to use telnet.  Otherwise, you would have to leave 
passwords in SSH enabled. Alternatively, you can run a second ssh server 
on a different port that is configured to accept password login.

Of course, in either example, it's assumed you have a firewall of some 
kind that will only allow connections to telnet or the theoretical 
second ssh daemon from localhost.

It would probably tionabe simpler, more convenl, and more flexible, to 
Use OpenVPN for the key file authenticated network tunnelling, then 
login with SSH over the VPN connection.