Two part SSH authentication with key and remote unix password

James Matthews nytrokiss at gmail.com
Sun May 17 11:17:06 UTC 2009 

It's very good that you are doing this. It's also very important not to only
create a login based on the key file. A Fedora core update server was hacked
like this.....

On Fri, May 15, 2009 at 7:04 PM, komputes <komputes at gmail.com> wrote:

> Carl Friis-Hansen wrote:
> > komputes wrote:
> >
> >> I would like to edit the PAM authentication procedure for SSH so that a
> >> key is needed to connect, but then the remote UNIX password is requested
> >> before sending a command prompt.
> >>
> >> Another nice-to-have is if the password authentication fails 9 times (3
> >> connection attempts) the ip is logged and blocked, using ufw syntax
> >> (preferred over iptables).
> >>
> >> In my head it looks a little something like this:
> >>
> >> ssh bob at remote.server
> >>                 |
> >>                 |
> >>          Public Key?--[no]--> Fail - disconnect and log attempt
> >>                 |
> >>              [yes]
> >>                 |
> >>        UNIX Password?--[no]--> Fail*3=disconnect and log attempt.
> >> Fail*9=block IP.
> >>                 |
> >>              [yes]
> >>                 |
> >>      Great Success -> bob at remote:~$
> >>
> >> If anyone has the smarts to guide me through this I'd appreciate the
> help.
> >>
> >> -komputes
> >>
> >
> > Could you use something like pam-abl?
> >
> > http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection
> >
> >
> Thank you Carl. This is useful and helps with the request to block an IP
> after a number of failed entries. Although I find that it lacks details
> on what it actually does, and as far as I can see it is not in the
> ubuntu repositories. I will give it a chance and look into it, to see
> how it works. Meanwhile, can anyone help me with my request for changing
> the authentification process to request key authentication followed by
> UNIX user authentication when connecting via ssh, as this is the most
> important to me.
>
> -komputes
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>



-- 
http://www.goldwatches.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090517/dde79f25/attachment.html>

More information about the ubuntu-users mailing list