On 6/10/11 10:48 AM, Eero Volotinen wrote:
> 2011/6/10 Les Mikesell<lesmikes...@gmail.com>:
>> On 6/10/2011 3:35 AM, Ljubomir Ljubojevic wrote:
>>> Robert Spangler wrote:
>>>> On Thursday 09 June 2011 17:34, the following was written:
>>>>
>>>>> How to configure sshd to required both ssh public key and user
>>>>> password also? yes, stupid, but required on my setup..
>>>>
>>>> Have you thought about securing your ssh keys with a pasword? I do that
>>>> here
>>>> so if someone would happen to get a hold of my keys they still could not
>>>> use
>>>> them. I am guessing that is why you are looking for both keys and
>>>> passwords.
>>>>
>>>>
>>> Not really. My view is so he can authenticate from his own PC without
>>> the need to type the password, but if he is on someone else's system he
>>> whould use regular password. That is what I would like to be able to do.
>>
>> That's just normal behavior when both are enabled. If the key works,
>> you don't get the password prompt. But even in the 'ultrasecure'
>> scenario of requiring both, do you really want people typing their
>> passwords on equipment that might have a keylogger running?
>
> Yes, because of compliancy requirements. ssh public key does not
> support expiring public keys. (maybe you can use cron job to delete too
> old public keys from server?)
You could do that - or disable the logins where old keys exist, but you'd need
to keep your own database of old keys to check since they are appended in the
file and you probably wouldn't trust the timestamp anyway. And you'd need some
way to fix the situation after the user is locked out.
How about running openvpn with client certs to get through a firewall, then ssh
with passwords? That could all run on the same box or you could only block
port
22 from 'outside' for more convenient access.
--
Les Mikesell
lesmikes...@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
