SSH - Require passphrase entry during public key authentication

StackOverflow https://stackoverflow.com/questions/21761966

Question

I've read up a bit on public key authentication, but I think I'm missing a key aspect.

I have an Ubuntu server I've configured to work as an Subversion server that accepts SVN connections over SSH using a non-standard port. So, to check out, it would something like:

svn co svn+ssh://user@example.com:12345/repos/public

Now, my server currently supports both password based authentication, and public key authentication. Assuming my server at my office is bolted and anchored down, and the firewall and all are working, I don't have to worry about someone copying files off the server.

For my two client laptops, I've generated public-private key pairs, and have added the public keys for the clients to the AuthorizedKeys list on the server via the ssh-copy-id command. I can now SSH into the server from these client laptops without a password.

This concerns me though. If someone breaks into my hotel room and steals my laptop, then they can just pull the hard drive, copy the contents of ~/.ssh to a separate machine, and attempt to log in to my servers effortlessly. If I just used password-based authentication, and just memorize the passwords or store them in an encrypted TrueCrypt archive, it is much safer.

I know that during the creation of my key pairs on the clients, a passphrase had to be entered. Is it possible to require the server to not only validate the public key, but to also require the passphrase to be entered? This seems like a very weak system if all that is required is stealing the laptop of a single employee and copying a file off of it to get total system access.

Thank you.

Was it helpful?

Solution 2

This is covered on another SO site.

https://serverfault.com/questions/93807/how-do-i-setup-ssh-with-both-private-key-and-password

Here is the example SSHD server script.

#######################################################
###  Calomel.org  SERVER  /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1

#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh 

AllowUsers calomel@10.10.10.3 calomel@192.168.*
AllowGroups calomel

AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes

#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
#
#######################################################
###  Calomel.org  SERVER  /etc/ssh/sshd_config
#######################################################

OTHER TIPS

You can protect the keystore on the client with an additional passphrase so one needs to unlock the key to use it but this is configured on the client and cannot be enforced by the server. Using an SSH-agent you need to unlock a key only once and use it as long as the client is in use.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top