l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2005 Jul 22 15:07

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] sshd_config and PasswordAuthentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] sshd_config and PasswordAuthentication



on Fri, Jul 22, 2005 at 10:01:32AM -0500, Jay Strauss (me@heyjay.com) wrote:
> 
> >No.
> >
> >The authentication is handled by SSH using the public/private keypair.
> >The system password itself isn't involved in the authentication at all.
> >
> >It's possible to have users whose remote passwords are unknown or
> >disabled by this method.  This is the case for a number of remote hosts
> >I access regularly.
> >
> >
> >Peace.
> >
> 
> Karsten, I apologize, I didn't realize I hadn't responded.  Thanks for 
> all the info.
> 
> I think you are talking about passwordless authentication, 

It's not "passwordless", which is a description of negation.  It is
possible to set up accounts and SSH-keys without passwords or
passphrases.  Naturally, this is highly insecure.

Rather, this is SSH-key authorization, based on PKI (public-key
infrastructure).  Two keys, halves of a pair, one public, one private,
used for cryptographically secure authentication.

> ie public/private keypair, where once it's setup, all I have to do is
> logon to boxA then can ssh to boxB without typing a password.  

Nearly.  

The SSH-key authentication allows you to authenticate with a token other
than your password.  Normally you create a *passphrase* to secure your
SSH key.  A program called 'ssh-agent' can supply this passphrase on
request to any program requesting it, allowing you to then access and/or
run commands on remote systems without having to enter a password each
time.  You _do_ need to initially supply the passphrase to ssh-agent.


  - Generate your key as I've said.

  - Copy the *public* key to the remote host.

  - Ensure you're running ssh-agent locally.  For most current GNU/Linux
    distros, if you're running X, the session itself runs under
    ssh-agent, meaning all processes launched under the session will
    have access to the agent.  This is specified by a couple of
    environment variables, e.g.:

        SSH_AGENT_PID=6341
        SSH_AUTH_SOCK=/tmp/ssh-YTUqYA3655/agent.6535

  - Feed the agent your *passphrase*.  This secures your *key*, it need
    not be the same as either local or remote passwords, and should
    ideally be different.

  - Access your remote system:  ssh remotehost

    You won't be prompted for a password.

  

> I've done this on a number of my boxes (currently and in the past).
> 
> I didn't realize that PasswordAuthentication was related to the above. 

It's not, directly.

However, as a security measure, you can disable password authentication
on boxes being accessed remotely, to ensure that SSH-key authentication
is *always* used.

> I thought you were telling me that when this is set to "no" then I still 
> type my password, then some magic happens, and I login to the remote box 
> but I never send my password down the line.

No.  If "PasswordAuthentication no" is set in /etc/ssh/sshd_config, on
the remote host, then you *must* use another method, and my
understanding is that this limits you to SSH-passkey.  Your remote
password (tunneled and encrypted or not) *won't* work.
 


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Information is not power after all: Old-fashioned power is power. If you
  aren't big industry or government, you have very little power. Once they've
  hacked the electronic voting system, you'll have no power at all.
  - Robert X. Cringely

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.