I've read tutorials on ssh and how to configure sshd_config as well as several forum posts on the topic.
Problem: When connect to my ssh server from WAN i'm only asked for username and password, not passphrase.
What I did:
sshd resides on LAN 192.168.0.101. From another pc (192.168.0.102) on the LAN, using Putty, I generated rsa keys with passphrase. scp'ed the pulic key to homedir on 192.168.0.101 and added the key to ~/.ssh/athorized_keys
I also changed permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
I logged in from 192.168.0.102 and was asked for the passphrase - worked fine.
Then I visited a friend and logged in on my ssh server from his computer with Putty (from WAN side, that is). This worked fine, but I wasn't asked for a passphrase - only username and password. This means my server is open to brute force attacks, no?
I might have misunderstood something fundamental, but was under the impression that encrypted keys provided an extra layer of security not only by encrypting traffic but also by requiring a passphrase?
[SOLVED] SSH security. Passphrase authentication problem?
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
[SOLVED] SSH security. Passphrase authentication problem?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: SSH security. Passphrase problem?
The reason it's prompting you for a password and username at your friends is because your friends computer doesn't have the private key you created. I'm going to assume your friends computer is safe (free of key-loggers and etc.). So the easiest way to deal with this is to carry a thumb drive with a portable version of Putty on it and the private key. If you don't want to use a portable version of Putty, just a thumb drive with your private key on it would work as well. You can then point the Putty on his machine to that key.
To disable it prompting for a password and username on all foreign computers you need to edit /etc/ssh/sshd_config and restart sshd.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
sudo service ssh restart
Now that you've got that done you need to test it. Open Putty, load your profile, go to Connection > SSH > Auth and clear out the Private Key File for Authentication entry and hit open. Type in a username, hit Enter and you should be prompted with an error. Now try it again but this time don't remove the key and you should be able to successfully log in. Just remember that without the private key you'll never be able to log in remotely.
As another layer of security you can also configure iptables (firewall) to limit the number of connection attempts to port 22.
With gufw you click the lock icon, punch in your password. Edit > Add rule > Simple (tab)
Select Limit, In, TCP, 22
If for whatever reason you're not able to insure that you'll have the private key with you at all times, this (combined with a strong password) is a suitable alternative to effectively stop a brute force attack.
To disable it prompting for a password and username on all foreign computers you need to edit /etc/ssh/sshd_config and restart sshd.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
sudo service ssh restart
Now that you've got that done you need to test it. Open Putty, load your profile, go to Connection > SSH > Auth and clear out the Private Key File for Authentication entry and hit open. Type in a username, hit Enter and you should be prompted with an error. Now try it again but this time don't remove the key and you should be able to successfully log in. Just remember that without the private key you'll never be able to log in remotely.
As another layer of security you can also configure iptables (firewall) to limit the number of connection attempts to port 22.
With gufw you click the lock icon, punch in your password. Edit > Add rule > Simple (tab)
Select Limit, In, TCP, 22
If for whatever reason you're not able to insure that you'll have the private key with you at all times, this (combined with a strong password) is a suitable alternative to effectively stop a brute force attack.
Re: SSH security. Passphrase problem?
Thanks a lot for your reply. I really appreciate your detailed explanation.
I managed to make it work with my private key. It was the PasswordAuthentication yes entry that bugged me - I percieved this as a setting which would require Password in addition to private key+passphrase.
The man page entry
Well well it works now. Again, thank you!
I managed to make it work with my private key. It was the PasswordAuthentication yes entry that bugged me - I percieved this as a setting which would require Password in addition to private key+passphrase.
The man page entry
is not self-explanatory (to me, that is!) in explaining that PasswordAuthentication set to yes sort of bypasses authentication with keypair (?)PasswordAuthentication
Specifies whether password authentication is allowed. The
default is ``yes''.
Well well it works now. Again, thank you!
Re: SSH security. Passphrase problem?
Your welcome.
Please mark your thread (original post title) as solved.
Please mark your thread (original post title) as solved.