Date: Wed, 3 Oct 2001 14:09:06 -0400 From: Zvezdan Petkovic <zvezdan@CS.WM.EDU> To: freebsd-stable@FreeBSD.ORG Subject: Re: sshd: requiring password _and_ RSA authentication Message-ID: <20011003140906.B27029@dali.cs.wm.edu> In-Reply-To: <99746.1002123819@thrush.ravenbrook.com>; from Nick.Barnes@pobox.com on Wed, Oct 03, 2001 at 04:43:39PM %2B0100 References: <99746.1002123819@thrush.ravenbrook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 03, 2001 at 04:43:39PM +0100, Nick Barnes wrote:
> One of our servers used to run FreeBSD 2.2.8 with SSH 2 built from
> /usr/ports/security/ssh2. I'm not sure exactly which version of SSH
> this was. We had sshd configured to require both a password and RSA
> (or maybe DSA) authentication.
>
I'm not sure that it checked both. I think that the first authentication
method that succeeds lets you through. You probably had password set up
as the first method to try.
> I've upgraded the machine to FreeBSD 4.4-RELENG. The sshd which comes
> with this is "OpenSSH_2.3.0 FreeBSD localisations 20010713". The
> config file was quite different; presumably the previous version was
> not OpenSSH. I can't figure out how to configure this to require both
> a password and a shared secret. Is it possible?
>
They are both ON by default, but the first one that succeeds gets you
through as I said above. You can set one or the other to be used first,
of course. However, I suspect that an upgrade to 2.9 version from the
ports tree or a prebuilt package from a CD is necessary.
As far as I remember, this option doesn't exist in 2.3.0 version, but I
know it is available in 2.9 version -- I used it, although for a
different purpose. In /etc/ssh/ssh_config set
Host *
... [whatever you have here already]...
PreferredAuthentications [your preferred order]
See the man page of 2.9 version.
> (RSA authentication only is fine if your laptops never get stolen or
> left unattended...).
>
Only if you set up RSA keys _without_ a passphrase. I never do that.
In my opinion it is much better to force the use of passphrase on RSA.
It can be much longer than UNIX password and thus much safer. Of course,
nobody wants to type longer passphrase for every scp and ssh. That's why
we have ssh-agent. ssh-agent + ssh add on startup + a long good RSA
passphrase are your friends. You type it once on login and ssh-agent
takes over for the future scp and ssh connections in that login session.
Now, if somebody steels your laptop while you are still logged in... :-)
Best regards,
--
Zvezdan Petkovic <zvezdan@cs.wm.edu>
http://www.cs.wm.edu/~zvezdan/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011003140906.B27029>