prompt or not prompt for the password depending on the user - SSH

This is a discussion on prompt or not prompt for the password depending on the user - SSH ; I want the server to prompt or not prompt for the password depending on the user. Can host based authentication (using ~/.ssh/authorized_keys, etc) do that? e.g. # ssh john@server prompt for password # ssh powah@server no prompt for password...

+ Reply to Thread
Results 1 to 8 of 8

Thread: prompt or not prompt for the password depending on the user

  1. prompt or not prompt for the password depending on the user

    I want the server to prompt or not prompt for the password depending
    on the user.
    Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    that?
    e.g.
    # ssh john@server
    prompt for password

    # ssh powah@server
    no prompt for password


  2. Re: prompt or not prompt for the password depending on the user

    wong_powah@yahoo.ca wrote:
    > I want the server to prompt or not prompt for the password depending
    > on the user.
    > Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    > that?
    > e.g.
    > # ssh john@server
    > prompt for password
    >
    > # ssh powah@server
    > no prompt for password
    >

    Tat sure is secure!

  3. Re: prompt or not prompt for the password depending on the user

    On Jun 20, 8:06 pm, Dave wrote:
    > wong_po...@yahoo.ca wrote:
    > > I want the server to prompt or not prompt for the password depending
    > > on the user.
    > > Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    > > that?
    > > e.g.
    > > # ssh john@server
    > > prompt for password

    >
    > > # ssh powah@server
    > > no prompt for password

    >
    > Tat sure is secure!


    For the known client C to ssh to server, no prompt for password for
    the user powah, else still prompt for password for all unknown
    clients. This is host based authentication.


  4. Re: prompt or not prompt for the password depending on the user

    On Jun 20, 8:06 pm, Dave wrote:
    > wong_po...@yahoo.ca wrote:
    > > I want the server to prompt or not prompt for the password depending
    > > on the user.
    > > Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    > > that?
    > > e.g.
    > > # ssh john@server
    > > prompt for password

    >
    > > # ssh powah@server
    > > no prompt for password

    >
    > Tat sure is secure!


    To clarify:
    I want the server to prompt or not prompt for the password depending
    on the user and client.
    How to do that?
    Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    that?
    e.g.
    from a known client,
    # ssh john@server
    prompt for password

    # ssh powah@server
    no prompt for password

    from an unknown client,
    # ssh john@server
    prompt for password

    # ssh powah@server
    prompt for password


  5. Re: prompt or not prompt for the password depending on the user

    In article <1182396993.907439.287390@p77g2000hsh.googlegroups. com>
    wong_powah@yahoo.ca writes:
    >
    >To clarify:
    >I want the server to prompt or not prompt for the password depending
    >on the user and client.
    >How to do that?
    >Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    >that?


    HostbasedAuthentication doesn't use authorized_keys, that's for
    PubkeyAuthentication. Anyway the answer is "sort of" for both - i.e. it
    can be set up the way you want, but you normally can't make sure it
    stays that way.

    HostbasedAuthentication isn't used much, since the security is pretty
    weak - I believe it's disabled by default in most sshd installations.
    But anyway you could set it up with the client's public key in that
    user's ~/.shosts file, and IgnoreRhosts=no in sshd_config. But then
    normally nothing prevents that user from adding other client public
    keys to his ~/.shosts, or other users from adding any client public keys
    to theirs.

    With PubkeyAuthentication, you could set up that user's
    ~/.ssh/authorized_keys with the *user's* public key, and the added
    restriction of a from= option. But then normally nothing prevents that
    user from removing that restriction, or other users from putting
    whatever they want in their ~/.ssh/authorized_keys. Of course this
    situation is the default in most sshd installations.

    All of the above applies to OpenSSH, don't know about others, you didn't
    say what SSH implementation you were asking about.

    --Per Hedeland
    per@hedeland.org

  6. Re: prompt or not prompt for the password depending on the user

    On Jun 21, 3:55 pm, p...@hedeland.org (Per Hedeland) wrote:
    > In article <1182396993.907439.287...@p77g2000hsh.googlegroups. com>
    >
    > wong_po...@yahoo.ca writes:
    >
    > >To clarify:
    > >I want the server to prompt or not prompt for the password depending
    > >on the user and client.
    > >How to do that?
    > >Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    > >that?

    >
    > HostbasedAuthentication doesn't use authorized_keys, that's for
    > PubkeyAuthentication. Anyway the answer is "sort of" for both - i.e. it
    > can be set up the way you want, but you normally can't make sure it
    > stays that way.
    >
    > HostbasedAuthentication isn't used much, since the security is pretty
    > weak - I believe it's disabled by default in most sshd installations.
    > But anyway you could set it up with the client's public key in that
    > user's ~/.shosts file, and IgnoreRhosts=no in sshd_config. But then
    > normally nothing prevents that user from adding other client public
    > keys to his ~/.shosts, or other users from adding any client public keys
    > to theirs.
    >
    > With PubkeyAuthentication, you could set up that user's
    > ~/.ssh/authorized_keys with the *user's* public key, and the added
    > restriction of a from= option. But then normally nothing prevents that
    > user from removing that restriction, or other users from putting
    > whatever they want in their ~/.ssh/authorized_keys. Of course this
    > situation is the default in most sshd installations.
    >
    > All of the above applies to OpenSSH, don't know about others, you didn't
    > say what SSH implementation you were asking about.
    >
    > --Per Hedeland
    > p...@hedeland.org


    I use PubkeyAuthentication on OpenSSH.
    After the user login, then a special program (instead of the default
    shell) will start, parse the user commands and do only what is allowed
    for that user.
    Then the user cannot change its setting.


  7. Re: prompt or not prompt for the password depending on the user

    In article <1182473265.513197.19840@n2g2000hse.googlegroups.co m>
    wong_powah@yahoo.ca writes:
    >On Jun 21, 3:55 pm, p...@hedeland.org (Per Hedeland) wrote:
    >>
    >> With PubkeyAuthentication, you could set up that user's
    >> ~/.ssh/authorized_keys with the *user's* public key, and the added
    >> restriction of a from= option. But then normally nothing prevents that
    >> user from removing that restriction, or other users from putting
    >> whatever they want in their ~/.ssh/authorized_keys. Of course this
    >> situation is the default in most sshd installations.
    >>
    >> All of the above applies to OpenSSH, don't know about others, you didn't
    >> say what SSH implementation you were asking about.


    >I use PubkeyAuthentication on OpenSSH.
    >After the user login, then a special program (instead of the default
    >shell) will start, parse the user commands and do only what is allowed
    >for that user.
    >Then the user cannot change its setting.


    OK, that possibility is why I sprinkled all those "normally" over the
    text. Then PubkeyAuthentication set up as above should be fine - see the
    sshd man page for the details of the format to use in authorized_keys.

    --Per Hedeland
    per@hedeland.org

  8. Re: prompt or not prompt for the password depending on the user

    wong_powah@yahoo.ca wrote:
    > On Jun 20, 8:06 pm, Dave wrote:
    >> wong_po...@yahoo.ca wrote:
    >>> I want the server to prompt or not prompt for the password depending
    >>> on the user.
    >>> Can host based authentication (using ~/.ssh/authorized_keys, etc) do
    >>> that?
    >>> e.g.
    >>> # ssh john@server
    >>> prompt for password
    >>> # ssh powah@server
    >>> no prompt for password

    >> Tat sure is secure!

    >
    > For the known client C to ssh to server, no prompt for password for
    > the user powah, else still prompt for password for all unknown
    > clients. This is host based authentication.
    >

    Sorry, I did not read the line about host-based authentication - I
    incorrectly assumed you wanted it to be based on just the username (as
    the subject might imply).

    Sorry.

+ Reply to Thread