Re: Unix (pam) authorization with required public key

You probably should have a look at kerberos and limit your ssh server to
kerberos authentication (GSSAPIAuthentication yes) but disallow pam
(UsePAM no) and others like public key authentication.
With kerberos your client and server have to be known by the kerberos
server and have to have a kerberos key (as far as i know). The kerberos
database can be put into LDAP. Microsofts AD does this, but it is
possible to make this with openldap too.

On 09/01/2010 12:17 AM, Илья Скорик wrote:
Approximately so.

A problem that people from an enterprise network have access to the
server. And there is Windows in their network. Recently the virus has
stolen passwords at one of managers, has entered on the one of servers
and has download the bad software.

I would like will restrict access in case of simple larceny of
passwords by viruses, but I am not able to do it standard manner.
Because from server side all managers come from one ip addresses. Also
I don't want to setup authorization through a public key. Since it
isn't compatible with ldap authorization on the server. And managers
can come on the server without entering any passwords.

All that I want is a mandatory presence of a public key and standard
authorization with request of the password which is stored on the

2010/8/31 Mark Naker <mnaker@xxxxxxxxx>:
If I understand correctly, you are trying to use a public key setup in ssh
that is passphrase protected by the destination hosts local password. If I
have not understood correctly, feel free to ignore the rest of this email.

This is not possible in an easily configured and direct method.

I have not set up ssh in this way, however, it should be possible to stack
authentication methods in your PAM configuration such that first the
publickey would be used, and then the machine would also ask for the local
passord. You will need to play around with the sshd_config file quite a

You may see a result where users have to enter their key passphrase, and the
password of the destinataion system with a setup like this.

It is also possible that you may have to write your own PAM module to handle
authentication in this manner.

Good luck!

2010/8/31 Илья Скорик <ilya@xxxxxxxxx>

We each other haven't understood.

I have adjusted authorization on a public key. But only two methods:

1. The server will authorize without the password (if the key formed
without the password).

2. The client ask the key password (if the key is protected by the

It is necessary for me:

1. What the client is mandatory had a public key without the password
without which the server won't pass the client.

2. That at authorization the client would ask the unix password of the
user on the server.

2010/8/31 Greg Wooledge <wooledg@xxxxxxxxxxx>:
On Tue, Aug 31, 2010 at 10:51:08AM +0400, ???????? ???????????? wrote:
I want to set ssh authorization through unix/pam with mandatory public
key. I want will make sure that except the password the user has an
acknowledgement of legitimacy in the form of a public key. Thus the
password should be from unix/pam, not from key.

I tried different variants. It turned out with key and without the
password, or the password undertook from a key, instead of from

Public key authentication does not involve a password, and it does not
involve PAM.

If you are attempting to require the use of a passPHRASE on the private
key, then you need to be aware that the private key is only seen by the
ssh client, not the server. The server has no idea whether the key was
passPHRASE protected or not.

Server-side passWORDS have nothing at all to do with public key
authentication, or with the passPHRASES that are used to protect the
private keys.

С уважением, Илья Скорик
Yours faithfully, Ilya Skorik

:(){ :|:& };:

Attachment: signature.asc
Description: OpenPGP digital signature

Relevant Pages

  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
  • Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
    ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...