[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?

Bob Jonkman bjonkman at sobac.com
Wed Oct 5 17:06:58 EDT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

B.S. replied to Rashkae:
>> Alternatively, you can run a second ssh server on a different
>> port that is configured to accept password login.
> 
> HAH! There's a thought. At that point you're local, and passwords
are acceptable locally - one could telnet localhost within the rc!

Perhaps you can ssh-with-certs into an unprivileged account, then from
there 'su username' into the real account to get things done. That'll
ask for a password...

- --Bob.


On 2016-10-05 12:29 PM, B.S. wrote:
> On 10/05/2016 11:43 AM, Rashkae wrote:
>> The usual way to add a password to ssh login is to add the
>> password to the Keyfile.
> 
> Yes. The remote one. Looking for a single point of change on the
> server, only.
> 
> AFAIK, you're not talking about the server's authorized keys file.
> 
> Mind you, I've only just checked in to local authorized keys
> files, ~/.ssh/authorized_keys (so at least the nefarious actor
> could only use the correct userids if they broke into the key
> file). And I found that authorized_keys files can contain
> restrictions, such as no-pta, at the beginning of a line.
> 
> Combined with most user's shells being set to rssh, most of the
> attack vectors are thus shut down. Leaving just this login issue.
> 
>> However, If you really want to add password login to your ssh 
>> session, the only way I can think of to do this is to tunnel a 
>> network port forward, then login in again.
> 
> That's a thought. Thanks. Not ideal, but it's a thought.
> 
> Seems completely retarded (sort of) that one can be prompted for a 
> password locally, but not once in a shell.
> 
> Feels like setting the user to rssh, then 'su $USER' within the rc
> file is sort of a path. (Exiting the rc file, things continue on as
> normal to a shell. Would have thought 'exit -1' in the rc file
> would eject the user.) As said, login doesn't do it (not root) - it
> hasn't occurred to me how else to change / login to a user other
> than su.
> 
>> Alternatively, you can run a second ssh server on a different
>> port that is configured to accept password login.
> 
> HAH! There's a thought. At that point you're local, and passwords
> are acceptable locally - one could telnet localhost within the rc!
> 
>> It would probably tionabe simpler, more convenl, and more
>> flexible, to Use OpenVPN for the key file authenticated network
>> tunnelling, then login with SSH over the VPN connection.
> 
> True. Or telnet, for that matter. Sadly, openvpn is a heavier lift 
> (everywhere), than ssh.
> 
> Hmmm, or ssh -fNR <something>, and have the server phone you back, 
> prompting for password then.
> 
> 
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 

- -- 


- --
Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-635-9413
SOBAC Microcomputer Services             http://sobac.com/sobac/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlf1a2YACgkQuRKJsNLM5er3wACgq/sfuttAQiRSVl4hA+/Bz/bN
LDYAn3OefqZHMCI6dzMTy2aFY62Feg8v
=/bHE
-----END PGP SIGNATURE-----

More information about the kwlug-disc mailing list