| View previous topic :: View next topic |
| Author |
Message |
khuongdp
n00b
Joined: 09 Nov 2003
Posts: 73
|
 Posted: Mon Mar 15, 2004 11:11 pm Post subject: SSH and PasswordAuthentication |
 |
|
I have set up a ssh server. and it's just working fine 
Now I don't want to use passwords but only public key and passphrase. I have follow a tutorial for redhat.
The problem is that when I
I get
| Code: |
Enter passphrase for key '/home/khuongdp/.ssh/id_dsa': |
then I type the right passphrase and I can connect to the server. But when I type a wrong passphrase three times or I just press 'enter' this is displayed:
where I can enter the normal password for the user account.
How can I prevent the remote machine to allow password but only using the public key and passphrase. On the remote machine I have this in the /etc/ssh/sshd_config file:
| Code: |
PasswordAuthentication no |
|
|
| Back to top |
|
 |
bombcar
Guru
Joined: 08 Apr 2003
Posts: 453
Location: Wisconsin
|
| Posted: Mon Mar 15, 2004 11:20 pm Post subject: |
|
|
Did you restart SSH after changing the config file?
This sshd_config does it for me:
| Code: |
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
|
Hope this helps!  |
|
| Back to top |
|
|
khuongdp
n00b
Joined: 09 Nov 2003
Posts: 73
|
| Posted: Mon Mar 15, 2004 11:52 pm Post subject: |
|
|
It works
|
|
| Back to top |
|
|
alexf
n00b
Joined: 13 Jan 2004
Posts: 67
|
| Posted: Sun Jul 18, 2004 6:15 pm Post subject: |
|
|
Can anyone help me? I have a similar problem in that I want to configure sshd to allow only key acces (not system password) and that to do this I have to disable PAM in sshd_config (basically because I don't know how to configure PAM to accept only keys).
Does anyone know whether I should do this the way I am (by disabling PAM), or whether I'm best configuring PAM the right way (if so, how?). I'm not really sure what advantages PAM offers me in this situation - I am really only using ssh to access my box at work and to allow my brother access to his web site that I host.
Thanks for any advice,
Alex |
|
| Back to top |
|
|
gareth
Apprentice
Joined: 15 Nov 2003
Posts: 234
Location: UK
|
| Posted: Fri Aug 27, 2004 7:40 pm Post subject: |
|
|
I had similar problems - turns out it's the /etc/pam.d/ssh file.
Have a read of this |
|
| Back to top |
|
|
|
Networking & Security
