How do I configure SSH so that OTP can be used with ssh-copy-id and then only keypair authorization is accepted?
Clash Royale CLAN TAG#URR8PPP
Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?
context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).
Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...
ssh
add a comment |
Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?
context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).
Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...
ssh
You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.
– Parthian Shot
Jul 29 '15 at 18:11
add a comment |
Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?
context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).
Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...
ssh
Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?
context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).
Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...
ssh
ssh
edited Jan 13 at 22:00
Rui F Ribeiro
39.7k1479132
39.7k1479132
asked Jul 29 '15 at 17:35
kvorakkvorak
261
261
You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.
– Parthian Shot
Jul 29 '15 at 18:11
add a comment |
You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.
– Parthian Shot
Jul 29 '15 at 18:11
You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.
– Parthian Shot
Jul 29 '15 at 18:11
You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.
– Parthian Shot
Jul 29 '15 at 18:11
add a comment |
1 Answer
1
active
oldest
votes
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in sshd_config
option UsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd
(can differ a bit on some systems).
For OTP you can use google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this
auth required pam_google_authenticator.so
in the /etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator
Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f219097%2fhow-do-i-configure-ssh-so-that-otp-can-be-used-with-ssh-copy-id-and-then-only-ke%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in sshd_config
option UsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd
(can differ a bit on some systems).
For OTP you can use google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this
auth required pam_google_authenticator.so
in the /etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator
Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.
add a comment |
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in sshd_config
option UsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd
(can differ a bit on some systems).
For OTP you can use google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this
auth required pam_google_authenticator.so
in the /etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator
Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.
add a comment |
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in sshd_config
option UsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd
(can differ a bit on some systems).
For OTP you can use google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this
auth required pam_google_authenticator.so
in the /etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator
Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in sshd_config
option UsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd
(can differ a bit on some systems).
For OTP you can use google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this
auth required pam_google_authenticator.so
in the /etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator
Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.
answered Jul 29 '15 at 19:13
JakujeJakuje
16.3k53153
16.3k53153
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f219097%2fhow-do-i-configure-ssh-so-that-otp-can-be-used-with-ssh-copy-id-and-then-only-ke%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.
– Parthian Shot
Jul 29 '15 at 18:11