You are not logged in.
hi there,
i've got a problem here with ssh that is confusing me quite a little.
i want to ssh into a remote machine using rsa authentication. for that i have set up a key pair, put the public on the remote machine and so on.
when ssh-ing into the machine everything works fine, i'm getting asked for the passphrase and have access then.
BUT: when i change users on my computer and try to ssh into the same machine, i'm getting asked for the password of the remotes user account and have access if i type it in. no asking for the passphrase and no comparison of keys, as the other user on my local machine has no keys in his home directory. i find that a little awkward. whats alls this security for, if i don't even need a fitting key to log into the remote machine?
all this is the case if i put sshd: ALL into /etc/hosts.allow (on the remote machine), so maybe it is no wonder, that everyone is granted access. however if i don't put that line into the file, i can't even connect with user who has the right key under ~/.ssh/id_rsa.
putting in a static ip adress is not an option as i don't have a static ip adress.
so actually my question is: How to grant access on the remote machine only to those users who have a fitting key and absolutely no others, no matter if they know the remoteusers password or not?
thank you in advance
Last edited by calle (2009-07-23 16:15:42)
Offline
If you don't explicitly disable password authentication the sshd will fallback to using it when you using an account with no private key in ~/.ssh/
In order to fix this you need to add a few lines to the sshd_conf, here are a few lines from my config:
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AllowUsers myusername
Those lines make SSH quite a bit more secure, the important one is PasswordAuthentication. If you are worried about random bruteforce atttacks i find fail2ban can be quite effective.
Offline
thanks a lot!
that was what i was looking for.
Offline