[SOLVED] SSH security. Passphrase authentication problem?

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
arbogast

[SOLVED] SSH security. Passphrase authentication problem?

Post by arbogast »

I've read tutorials on ssh and how to configure sshd_config as well as several forum posts on the topic.

Problem: When connect to my ssh server from WAN i'm only asked for username and password, not passphrase.

What I did:
sshd resides on LAN 192.168.0.101. From another pc (192.168.0.102) on the LAN, using Putty, I generated rsa keys with passphrase. scp'ed the pulic key to homedir on 192.168.0.101 and added the key to ~/.ssh/athorized_keys

I also changed permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys

I logged in from 192.168.0.102 and was asked for the passphrase - worked fine.
Then I visited a friend and logged in on my ssh server from his computer with Putty (from WAN side, that is). This worked fine, but I wasn't asked for a passphrase - only username and password. This means my server is open to brute force attacks, no?

I might have misunderstood something fundamental, but was under the impression that encrypted keys provided an extra layer of security not only by encrypting traffic but also by requiring a passphrase?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Jamesc359

Re: SSH security. Passphrase problem?

Post by Jamesc359 »

The reason it's prompting you for a password and username at your friends is because your friends computer doesn't have the private key you created. I'm going to assume your friends computer is safe (free of key-loggers and etc.). So the easiest way to deal with this is to carry a thumb drive with a portable version of Putty on it and the private key. If you don't want to use a portable version of Putty, just a thumb drive with your private key on it would work as well. You can then point the Putty on his machine to that key.

To disable it prompting for a password and username on all foreign computers you need to edit /etc/ssh/sshd_config and restart sshd.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

sudo service ssh restart

Now that you've got that done you need to test it. Open Putty, load your profile, go to Connection > SSH > Auth and clear out the Private Key File for Authentication entry and hit open. Type in a username, hit Enter and you should be prompted with an error. Now try it again but this time don't remove the key and you should be able to successfully log in. Just remember that without the private key you'll never be able to log in remotely.

As another layer of security you can also configure iptables (firewall) to limit the number of connection attempts to port 22.
With gufw you click the lock icon, punch in your password. Edit > Add rule > Simple (tab)
Select Limit, In, TCP, 22

If for whatever reason you're not able to insure that you'll have the private key with you at all times, this (combined with a strong password) is a suitable alternative to effectively stop a brute force attack.
arbogast

Re: SSH security. Passphrase problem?

Post by arbogast »

Thanks a lot for your reply. I really appreciate your detailed explanation.

I managed to make it work with my private key. It was the PasswordAuthentication yes entry that bugged me - I percieved this as a setting which would require Password in addition to private key+passphrase.
The man page entry
PasswordAuthentication
Specifies whether password authentication is allowed. The
default is ``yes''.
is not self-explanatory (to me, that is!) in explaining that PasswordAuthentication set to yes sort of bypasses authentication with keypair (?)

Well well it works now. Again, thank you!
Jamesc359

Re: SSH security. Passphrase problem?

Post by Jamesc359 »

Your welcome. :)

Please mark your thread (original post title) as solved.
Locked

Return to “Networking”