I'm trying to make it impossible to connect to my ssh server (running on OS X) with the standard username and password combination. Instead, I'd prefer that authentication only occur with public/private key exchange. Presumably then, only possession of the key will grant access, and that key only lives on one machine -- my laptop.
So I've edited the sshd_config file on the server with the following settings:
DSAAuthentication yes
RSAAuthentication no
PasswordAuthentication no
PubKeyAuthentication yes
After restarting the server, however, I can still log in from any machine on my network using ssh user@sshserver, and providing the user account password.
What am I missing? Or am I obviously just not clear on the concept?
Thanks!
So I've edited the sshd_config file on the server with the following settings:
DSAAuthentication yes
RSAAuthentication no
PasswordAuthentication no
PubKeyAuthentication yes
After restarting the server, however, I can still log in from any machine on my network using ssh user@sshserver, and providing the user account password.
What am I missing? Or am I obviously just not clear on the concept?
Thanks!
posted by:
|
SF Bay Area
|
-
You need to generate a key pair and share the public key via some manual method. Here's a description of the process from the man page for ssh:
"ssh implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the private key in ~/.ssh/identity and stores the public key in ~/.ssh/identity.pub in the user's home directory. The user should then copy the identity.pub to ~/.ssh/authorized_keys in his/her home directory on the remote machine (the authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password."
You can do a "man ssh-keygen" to learn how to generate the key pair, but if you don't want to know that much about it, the command I've used is "ssh-keygen -t rsa" and then just hit return at all the prompts (you don't need a passphrase). The names of the two key files are a little different than the ssh man page says, but not so different that it's confusing - I'm sure you can figure that part out. Also, I'm using the default sshd_config file, so I don't think you'll need to modify that (but I'm not using a server, so it could be different).
HTH - Good luck!
Dana -
-
Hey, thanks for the reply.
I actually did generate the key pair early on as my first step. The problem I was having was that even with the keys, my ssh server (which by my definition is any machine running sshd) still authenticated using the standard user password. It didn't matter which machine I attempted to connect from -- if I had the valid username and password combination, I was able to log in.
It turns out that the answer to my problem was to add a line to the sshd_config file:
UsePAM no
Now, I can *only* login in from the user account on the client machine (in this case, my laptop) that has the key. From any other machine, I get kicked off immediately. I haven't tried logging in from a different user account on this machine, but I'm confident the result would be the same.
Cheers.
-
