SSH key authentication of a dynamic IP system [SOLVED]

[schmeggahead]

I'm looking at the SSH authentication available and wondering if I can do the following:

I would like to sign in from a remote system with a dynamic IP address and authenticate that machine with an RSA key - it doesn't have a host name to resolve to go in the SSH host file (to allow authentication).

Would it be better to just use a user RSA key and allow only one user through that port?

I would really like to restrict any access to the SSH from any system that doesn't present that key.

I would still like to have to enter user name and password in the login process so that anyone with the private key has to have the pass phrase, user name and that user's password.

[sschlueter]

I don't quite understand the problem... an rsa key in ~/.ssh/authorized_keys may contain a "from" option to enable host name matching in addition to public key authentication, but this is optional, you don't have to use it.

[schmeggahead]

Here's what I really want to do:

Setup SSH to accept only certificates as authentication and stop accepting any other form of authentication (including passwords).

I want to do this on a port other than 22.

Meanwhile, I would like the existing port 22 to allow password authentication.

This way I can open the other port through the firewall and be assured the private key must be used to gain access and all others would be refused.

Here's what I think I need to do:

• clone the /etc/init.d/sshd script to sshdx
• point sshdx to a different config file sshdx_config
• change configuration to port xxxx
• change contiguration to support certificate authentication (don't understand how to do this)
• change configuration to disable password authentication (don't know how to do this either)"
• test is
• rc-update add sshdx default

[xbmodder]

* clone the /etc/init.d/sshd script to sshdx
* point sshdx to a different config file sshdx_config
* change configuration to port xxxx
* change contiguration to support certificate authentication (don't understand how to do this)
* change configuration to disable password authentication (don't know how to do this either)"
* test is
* rc-update add sshdx default

Why do you want an sshdx?

* change contiguration to support certificate authentication (don't understand how to do this)
* change configuration to disable password authentication (don't know how to do this either)"
This you do by:
Add the lines:
ChallengeResponseAuthentication no
GSSAPIAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
_________________
http://xbmodder.us/

[sschlueter]

I think it would be better to use only one instance of the ssh server.

I guess that you want to allow password authentication on your local network and just want to make sure that no password authentication is allowed for connetions made from the internet so that no passwords can be bruteforced.

Then you could configure the ssh server to disallow password authentication globally and use the "Match" keyword in sshd_config to allow password authentication if the connection is from the local network.

On my system, it's sufficient to set both "PasswordAuthentication" and "UsePAM" to "no" to disallow password authentication.

[sschlueter]

Here's a working sshd_config file that globally disallows password authentication but allows it for the trusted network:

[schmeggahead]

Thanks for the config updates - I would rather have one instance of ssh that is smart enough to do what I want (and now thanks to you, I'm smart enough to tell it how to be smart enough to do what I want. )

I do want to avoid the brute force password attack that you mention.

I'm still battling expat hades which got me into the full system rebuild situation in the first place ( well my own stupidity got me there unmerging python to get around a block with emerge -e system <ouch> ) At least I only nuked one of my gentoo boxes.
So I thought a full system rebuild would not encounter expat problem - WRONG - I sure hope newbies have a clear path in the install doc or there won't be any new gentoo systems out there). oy.

Update: I have returned from expat hades and emerged victorious. Revdep-rebuild now actually gives me a good completion.
So as long as the newbies do revdep-rebuild, they are good to go.

Still failing to use certificate authentication though.
Built the certificate in Puttygen and saved it first in the openssh version and then the default. Neither seems to work. I also edited .ssh/authorized_keys to have the rsa certificate be one line and no other lines in the file.

Punting and creating the certificate in ssh.

OK - I get a big DUH for not using the copy and paste screen in Puttygen to copy and paste into authorized keys file.
All is working for certificate authentication.
Moving forward with the config changes.

[schmeggahead]

So a visit to my local Panera confirmed - certificate only outside my network.

Way cool. X works (maybe a little slowly) and PSFTP worked like a charm.

cool.