[kwlug-disc] How to ... having ssh key connected ... ask for password, logout if fail?
B.S.
bs27975.2 at gmail.com
Thu Oct 6 10:58:59 EDT 2016
On 10/06/2016 09:39 AM, bob+kwlug at softscape.ca wrote:
>
> Can you explain a little more your motivation for your ideal
> solution? (ie: needing a private key to be prompted for a password) I
> assume that if you don't have a key, you never get any response from
> the server.
Requiring keys for external access to the SSH server far and away not
only significantly reduces the security risk, but also kills out of the
box the vast majority of common attacks. There were days where I could
see the SSH server continuously hit with attempts to connect and guess
(the root) passwords. Certificates only externally just took it all off
the table. Reviewing logs before and after got MANY magnitudes easier
and the logs smaller.
When I first started with keys, I didn't want to be hassled with YAP
(Yet Another Password).
Later, I came to understand the ramifications of the passphrase-less
keys - but they were already 'out there'. Being out there, there's no
way to know where all they went, whom has them (what 'authority',
i.e./e.g. root for a machine), or if or when the passphrase might be
guessed. (Unlikely, but stuff happens.)
With the script, it matters much less whom has the keys - they still
have to guess the right account and password. So, no worse than
accepting passwords in the first place.
> NB: I consider certificates a black art and my interpretation of how
> they work in this context could be waaaay off. I know enough to know
> that I don't know enough to speak with authority so if anyone can
> contribute, I'd appreciate it.
I don't think you give yourself enough credit - I think you described
things pretty well, and picked up on something I had dropped -
revocation lists.
I'll agree with you, PITA to manage, particularly in establishing an
infrastructure in the first place, but I think certificates (keys),
revocation lists, and so on and so forth, will eventually be the norm.
Probably not as soon as I / we / the industry would like.
The consequence of becoming the norm, though, will likely be 'better',
simpler, more the norm of our everyday lives, tools to deal with it all
- which will be a good thing.
Let's Encrypt being a good example.
More information about the kwlug-disc
mailing list