Re: How can I make SSH with an identity file always demand a password?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 





On 8/24/2021 6:26 PM, Damien Miller wrote:
On Tue, 24 Aug 2021, Jochen Bern wrote:

On 23.08.21 12:18, Stuart Henderson wrote:
Other replies have looked at this from the client side and agent caching,
but you can also require on the server that a password *as well as* a
public key is offered. That also guards against users who did not use
a password/passphrase to protect their key.

Or [ fail to use | use a reimplementation that lacks ] the "-c" and "-t"
options of ssh-add.

However, I seem to remember that at some point (one or two years ago?),
there was an announcement that in future versions of OpenSSH, the server
side may get *told* whether the auth was done with or without *human*
interaction on the client side (i.e., when talking about user keypair
auth, passphrase entered vs. straight out of some agent) and could
reject a non-interactive attempt, which would satisfy the OP's need. Any
news of that, or am I misremembering?

Someone might have asked, but I would have replied that it would not
be reliable as the client could simply lie about whether the attempt
was interactive or not, thereby making it an unreliable signal at the
server.

Since then, FIDO keys have come along. The user-presence/user-verified
bits are probably the closest you can come to this. We fully support
these, but there are caveats - the biggest of which is that you have
to implement your own key attestation flow to ensure the keys that
you're trusting at the server are actually resident on hardware.

One way to do this is with certificate extensions.
I did that for Shibboleth, AD and gov issues PIV cards years ago. The government
agency CA will only add the Microsoft EKU Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
to the authentication certificate where the key resides on the smart card.
This requires trusting this policy of the CA.
(Never tried that with SSH.)


-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


--

 Douglas E. Engert  <DEEngert@xxxxxxxxx>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux