Re: OpenSSH: force password authentication

From: Darren Dunham (ddunham_at_redwood.taos.com)
Date: 06/23/04

  • Next message: Richard E. Silverman: "Re: Coding an SFTP step in a Unix Script running F-Secure Shell" 
    Date: Wed, 23 Jun 2004 19:47:34 GMT

    cat54me <cat54me@yahoo.it> wrote:
    > Hi all,
    > I set up passwordless public key authentication from a client to a
    > server to run an automated backup job (rsync).
    > I am running OpenSSH 3.6.1p2 on Red Hat Enterprise Linux 3.

    > I set up the public key with a forced command on the server, in order to
    > run validating script and only allow the backup task, otherwise it will
    > close the ssh connection, and It works fine.

    And unstated, I suppose you also set up a private key on the local
    client in the default location for the client identity.

    > But sometimes I need to connect to the server via ssh to run some
    > interactive commands and would like to use password authentication for that.

    > Right now that is not possible, since when I try to connect to the
    > server via ssh, the ssh client will pick up the PKI authentication first
    > and the forced command (validating script) on the server won't allow me
    > an interactive session, it will close the ssh connection.

    > Is there any way to force the ssh client to use password authentication
    > first only for interactive sessions? E.g. a command line switch or
    > something like that ...

    Take a look at the options available in the ssh_config file.

    One way is to have the restricted key not be in the default identity
    file. Make the automated process reference it explicitly. (I do this
    preferentially)

      ssh -o IdentityFile=auto_backup ... or
      ssh -i auto_backup ...

    Another way is to change the attempted authentication methods.

      ssh -o PreferredAuthentications=keyboard-interactive,password ...

    Or just disable public key authentication.

      ssh -o PubkeyAuthentication=no ... 

    -- 
Darren Dunham                                           ddunham@taos.com
Senior Technical Consultant         TAOS            http://www.taos.com/
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >
  • Next message: Richard E. Silverman: "Re: Coding an SFTP step in a Unix Script running F-Secure Shell"

    Relevant Pages

    • Re: Explanation of SSH
      ... I am still unclear on how SSH works exactly. ... Client issues SSH command and names server ... "Shopper" says "server sends back its public host and server keys ... Surely there is only one public key it sends ...
      (comp.security.ssh)
    • Re: ssh security question
      ... In my case - the client is a windows client and the ssh is embedded into the windows nx client. ... Is there any reason I can't run ssh-keygen on the server and copy the private key to the client - and the public key to the "authorised" directory? ... sniffer can catch your passwords, and it would make it trivial to log in ...
      (SSH)
    • Re: Publishing a SSH Server
      ... Your unix box cannot reply to SSH request, ... Create a client address set for your unix box (ip address from to are the ... Jim Harrison [ISA SE] ... In that case the server is a SecureNET client but still it doesn't work.... ...
      (microsoft.public.isa.publishing)
    • Re: FC6 VPN
      ... Then you can run any application you would like off the server by simply running it, or if you want to run a whole session, use gnomesession. ... ssh client that supports X forwarding, which is want you want to be looking at. ... SSH allows you to forward any local port to any remote port. ... If you need to connect to, say a windows share, you would forward your local port to the linux server through the ssh tunnel. ...
      (Fedora)
    • Re: Password less login between client & server, server & client
      ... password less logins on both the ssh client and ssh server. ... Login as the user that is making the connection. ...
      (comp.security.ssh)