[SOLVED] SSH security. Passphrase authentication problem?

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help

[SOLVED] SSH security. Passphrase authentication problem?

Postby arbogast on Mon Mar 25, 2013 6:53 am

I've read tutorials on ssh and how to configure sshd_config as well as several forum posts on the topic.

Problem: When connect to my ssh server from WAN i'm only asked for username and password, not passphrase.

What I did:
sshd resides on LAN 192.168.0.101. From another pc (192.168.0.102) on the LAN, using Putty, I generated rsa keys with passphrase. scp'ed the pulic key to homedir on 192.168.0.101 and added the key to ~/.ssh/athorized_keys

I also changed permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys

I logged in from 192.168.0.102 and was asked for the passphrase - worked fine.
Then I visited a friend and logged in on my ssh server from his computer with Putty (from WAN side, that is). This worked fine, but I wasn't asked for a passphrase - only username and password. This means my server is open to brute force attacks, no?

I might have misunderstood something fundamental, but was under the impression that encrypted keys provided an extra layer of security not only by encrypting traffic but also by requiring a passphrase?
Last edited by arbogast on Thu Apr 11, 2013 12:54 pm, edited 1 time in total.
arbogast
Level 1
Level 1
 
Posts: 10
Joined: Mon Jan 10, 2011 12:40 pm

Linux Mint is funded by ads and donations.
 

Re: SSH security. Passphrase problem?

Postby Jamesc359 on Mon Apr 01, 2013 5:04 am

The reason it's prompting you for a password and username at your friends is because your friends computer doesn't have the private key you created. I'm going to assume your friends computer is safe (free of key-loggers and etc.). So the easiest way to deal with this is to carry a thumb drive with a portable version of Putty on it and the private key. If you don't want to use a portable version of Putty, just a thumb drive with your private key on it would work as well. You can then point the Putty on his machine to that key.

To disable it prompting for a password and username on all foreign computers you need to edit /etc/ssh/sshd_config and restart sshd.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

sudo service ssh restart

Now that you've got that done you need to test it. Open Putty, load your profile, go to Connection > SSH > Auth and clear out the Private Key File for Authentication entry and hit open. Type in a username, hit Enter and you should be prompted with an error. Now try it again but this time don't remove the key and you should be able to successfully log in. Just remember that without the private key you'll never be able to log in remotely.

As another layer of security you can also configure iptables (firewall) to limit the number of connection attempts to port 22.
With gufw you click the lock icon, punch in your password. Edit > Add rule > Simple (tab)
Select Limit, In, TCP, 22

If for whatever reason you're not able to insure that you'll have the private key with you at all times, this (combined with a strong password) is a suitable alternative to effectively stop a brute force attack.
“Gosh, you've... really got some nice toys here.”
User avatar
Jamesc359
Level 3
Level 3
 
Posts: 134
Joined: Sun May 06, 2012 1:42 pm

Re: SSH security. Passphrase problem?

Postby arbogast on Thu Apr 04, 2013 10:43 am

Thanks a lot for your reply. I really appreciate your detailed explanation.

I managed to make it work with my private key. It was the PasswordAuthentication yes entry that bugged me - I percieved this as a setting which would require Password in addition to private key+passphrase.
The man page entry
PasswordAuthentication
Specifies whether password authentication is allowed. The
default is ``yes''.

is not self-explanatory (to me, that is!) in explaining that PasswordAuthentication set to yes sort of bypasses authentication with keypair (?)

Well well it works now. Again, thank you!
arbogast
Level 1
Level 1
 
Posts: 10
Joined: Mon Jan 10, 2011 12:40 pm

Re: SSH security. Passphrase problem?

Postby Jamesc359 on Sat Apr 06, 2013 6:43 pm

Your welcome. :)

Please mark your thread (original post title) as solved.
“Gosh, you've... really got some nice toys here.”
User avatar
Jamesc359
Level 3
Level 3
 
Posts: 134
Joined: Sun May 06, 2012 1:42 pm


Return to Other networking topics

Who is online

Users browsing this forum: mintybits and 8 guests