[vox-tech] sshd_config and PasswordAuthentication

Karsten M. Self kmself at ix.netcom.com
Fri Jul 22 12:02:41 PDT 2005 

on Fri, Jul 22, 2005 at 10:01:32AM -0500, Jay Strauss (me at heyjay.com) wrote:
> 
> >No.
> >
> >The authentication is handled by SSH using the public/private keypair.
> >The system password itself isn't involved in the authentication at all.
> >
> >It's possible to have users whose remote passwords are unknown or
> >disabled by this method.  This is the case for a number of remote hosts
> >I access regularly.
> >
> >
> >Peace.
> >
> 
> Karsten, I apologize, I didn't realize I hadn't responded.  Thanks for 
> all the info.
> 
> I think you are talking about passwordless authentication, 

It's not "passwordless", which is a description of negation.  It is
possible to set up accounts and SSH-keys without passwords or
passphrases.  Naturally, this is highly insecure.

Rather, this is SSH-key authorization, based on PKI (public-key
infrastructure).  Two keys, halves of a pair, one public, one private,
used for cryptographically secure authentication.

> ie public/private keypair, where once it's setup, all I have to do is
> logon to boxA then can ssh to boxB without typing a password.  

Nearly.  

The SSH-key authentication allows you to authenticate with a token other
than your password.  Normally you create a *passphrase* to secure your
SSH key.  A program called 'ssh-agent' can supply this passphrase on
request to any program requesting it, allowing you to then access and/or
run commands on remote systems without having to enter a password each
time.  You _do_ need to initially supply the passphrase to ssh-agent.


  - Generate your key as I've said.

  - Copy the *public* key to the remote host.

  - Ensure you're running ssh-agent locally.  For most current GNU/Linux
    distros, if you're running X, the session itself runs under
    ssh-agent, meaning all processes launched under the session will
    have access to the agent.  This is specified by a couple of
    environment variables, e.g.:

        SSH_AGENT_PID=6341
        SSH_AUTH_SOCK=/tmp/ssh-YTUqYA3655/agent.6535

  - Feed the agent your *passphrase*.  This secures your *key*, it need
    not be the same as either local or remote passwords, and should
    ideally be different.

  - Access your remote system:  ssh remotehost

    You won't be prompted for a password.

  

> I've done this on a number of my boxes (currently and in the past).
> 
> I didn't realize that PasswordAuthentication was related to the above. 

It's not, directly.

However, as a security measure, you can disable password authentication
on boxes being accessed remotely, to ensure that SSH-key authentication
is *always* used.

> I thought you were telling me that when this is set to "no" then I still 
> type my password, then some magic happens, and I login to the remote box 
> but I never send my password down the line.

No.  If "PasswordAuthentication no" is set in /etc/ssh/sshd_config, on
the remote host, then you *must* use another method, and my
understanding is that this limits you to SSH-passkey.  Your remote
password (tunneled and encrypted or not) *won't* work.
 


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Information is not power after all: Old-fashioned power is power. If you
  aren't big industry or government, you have very little power. Once they've
  hacked the electronic voting system, you'll have no power at all.
  - Robert X. Cringely
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050722/7d986049/attachment.pgp

More information about the vox-tech mailing list