# [basically solved]openssh RequiredAuthentications equivalent

## reverendryan

Given the recent rash of SSH vulnerabilities, exploits, and attacks, I'm trying to implement some sort of 2-factor (or 1-and-a-half-factor at the least) authentication. It seems the easiest thing to do would be to make openssh require both a public key and a (server-validated) password (PAM or not). The ssh.com version of ssh has a configuration option called RequiredAuthentications which does exactly what I would like - require one or more forms of authentication:

```

RequiredAuthentications      publickey,password

```

 It's too bad, then, that net-misc/ssh is masked for removal from Portage.

I've found a few people around the net asking the same question as myself, such as this guy who gets pointed to a 3-year-old openssh bug, and an unresolved bug over at Debian (somewhat ironic, i think...). Unfortunately most of the threads I found elsewhere either had no replies, or linked to an old bug somewhere.

So, what am I to do? Leaving my systems allowing only key-based auth seems scary, and going back to passwords doesn't seem much better. Perhaps there's some trick that PAM can do that I'm not aware of?

Any insight would be greatly appreciated.Last edited by reverendryan on Tue Sep 02, 2008 3:58 pm; edited 1 time in total

----------

## di1bert

Setup port knocking on your system. It does mean a little extra work on your side, but it's a great weekend project and will provide you with an extra level

of protection.

That with DenyHosts would add the extra security you require...

</0.02c>

-em

----------

## reverendryan

 *di1bert wrote:*   

> Setup port knocking on your system.

 

Thanks for the tip, I'll look into that. 

 *di1bert wrote:*   

> That with DenyHosts would add the extra security you require...

 

I'm already using Denyhosts, the problem is the new attacks are using stolen (legitimate) keys, either following the chain of trust from the recently compromised RedHat servers, blacklisted keys from the Debian OpenSSH thing, or both. Basically I don't trust the other people with access to my boxen to not get their private keys stolen.

----------

## notHerbert

Cookie ?

```
*  dev-perl/Apache-AuthCookie

      Latest version available: 3.10

      Latest version installed: [ Not Installed ]

      Size of files: 34 kB

      Homepage:      http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/

      Description:   Perl Authentication and Authorization via cookies

      License:       Artistic
```

----------

## Hu

 *reverendryan wrote:*   

> Basically I don't trust the other people with access to my boxen to not get their private keys stolen.

 

You could enforce key expiration.  Set up a cron job that runs once a week/month/quarter that examines the authorized_keys files of the untrusted users and deletes any entries that were there last time and are still there this time.  Then, any stolen key will be worthless after the next run of the cron job.

----------

## jcat

A user's account compromised does not necessarily lead to a system being compromised, if users are only granted sensible privileges (very few) and sensible file permissions are used.

Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH.  Have you actually tried them?

Cheers,

jcat

----------

## reverendryan

 *jcat wrote:*   

> Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH.  Have you actually tried them?

 

I have, here are the results: 

 */etc/init.d/sshd start wrote:*   

> 
> 
> /etc/ssh/sshd_config: line 45: Bad configuration option: RequiredAuthentications
> 
> /etc/ssh/sshd_config: terminating, 1 bad configuration options
> ...

 

 *Hu wrote:*   

> You could enforce key expiration.

 

Good idea, I might do that as a one time thing. I'll have to make sure that the Windows users logging in know how to regenerate their keys, tho.

Thanks for the tips, everyone. I'm going to go ahead and mark this thread [basically solved], since I guess I'm not going to get what I want  :Smile: 

----------

## jcat

 *reverendryan wrote:*   

>  *jcat wrote:*   Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH.  Have you actually tried them? 
> 
> I have, here are the results: 
> 
>  */etc/init.d/sshd start wrote:*   
> ...

 

Apologies, yes your correct.  It looks like the feature was requested once or twice on Bugzilla, but never implemented in OpenSSH.  

I know you've marked this as solved but..

Are you not handing out keys _with_ passphrase anyway?  That requires whoever logs in with the key to know the password for the key as well.   That is 2 tier auth isn't it??  :Smile: 

If your handing out keys with empty passphrases (generating key without entering a passphrase when prompted), that's not a good idea!

Cheers,

jcat

----------

## reverendryan

 *jcat wrote:*   

> Are you not handing out keys _with_ passphrase anyway?  That requires whoever logs in with the key to know the password for the key as well.   That is 2 tier auth isn't it?? 
> 
> If your handing out keys with empty passphrases (generating key without entering a passphrase when prompted), that's not a good idea!
> 
> 

 

Thus far I haven't generated others' keys, they've generated them and given them to me out-of-band (on a flash drive). Perhaps what I'll do is "expire" their keys and generate new ones for them (with some warning, of course). It is possible to remove the password from a private key, (first google hit) but I'm not sure any of my users are crafty enough to do that.

The best solution still seems to be a RequiredAuthentications equivalent. I suppose I could create my own overlay and maintain my own patched version of openssh, but where would I find that kind of time?!  :Rolling Eyes: 

----------

## PCGyver

I made some combinations

During logon I have to:

1. enter password for private key (retries depends from sshd_config)

2. enter password for user (retries depends from script /usr/scripts/sshauth.sh)

like:

```

login as: pcgyver

Authenticating with public key "PCGyver Server Key"

Passphrase for key "PCGyver Server Key":

User password: User password: User password:

login as: pcgyver

Authenticating with public key "PCGyver Server Key"

Passphrase for key "PCGyver Server Key":

User password:

Access denied

User password:

Access denied

User password:

pcgyver@serwer ~ $

```

My user is in wheel group. 

in sshd_config

```

AllowUsers pcgyver

Match User pcgyver

        ForceCommand /usr/scripts/sshauth.sh

```

and others changes to replace password login with key login. http://www.g-loaded.eu/2005/11/10/ssh-with-keys/

I made script /usr/scripts/sshauth.sh   (chmod 755 /usr/scripts/sshauth.sh)

```

#!/bin/bash

DEBUG=0

STD="\\033[0;39m"

OK="\\033[1;32m[OK]$STD"

ERR="\\033[1;31m[Err]$STD"

trap disconnect INT

disconnect() {

  sleep 1

  kill -9 $PPID

  exit 1

}

debug() {

  if test "$DEBUG" = 1 ; then

    echo -e "$@"

  fi

}

if test -z "$USER"

then

  debug "$ERR USER environment variable is not set" > /dev/stderr

  disconnect

fi

for try in 1 2 3

do

   echo -n "User password: "

   su $USER -c "exit" 2>/dev/null >/dev/null

   rc=$?

   if test "$rc" == 0

   then

      debug "$OK validated"

      echo -en "\x0c"

      if test -z "$SSH_ORIGINAL_COMMAND"

      then

         exec `grep "^$(whoami)" /etc/passwd | cut -d ":" -f 7`

      else

         exec "$SSH_ORIGINAL_COMMAND"

      fi

      disconnect

   else

      if test "$try" == 3; then

         disconnect

      else

         echo

         echo "Access denied"

      fi

   fi

done

```

----------

