Two part SSH authentication with key and remote unix password

komputes komputes at gmail.com
Fri May 15 16:04:56 UTC 2009


Carl Friis-Hansen wrote:
> komputes wrote:
>   
>> I would like to edit the PAM authentication procedure for SSH so that a
>> key is needed to connect, but then the remote UNIX password is requested
>> before sending a command prompt.
>>
>> Another nice-to-have is if the password authentication fails 9 times (3
>> connection attempts) the ip is logged and blocked, using ufw syntax
>> (preferred over iptables).
>>
>> In my head it looks a little something like this:
>>
>> ssh bob at remote.server
>>                 |
>>                 |
>>          Public Key?--[no]--> Fail - disconnect and log attempt
>>                 |
>>              [yes]
>>                 |
>>        UNIX Password?--[no]--> Fail*3=disconnect and log attempt.
>> Fail*9=block IP.
>>                 |
>>              [yes]
>>                 |
>>      Great Success -> bob at remote:~$
>>
>> If anyone has the smarts to guide me through this I'd appreciate the help.
>>
>> -komputes
>>     
>
> Could you use something like pam-abl?
>
> http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection
>
>   
Thank you Carl. This is useful and helps with the request to block an IP
after a number of failed entries. Although I find that it lacks details
on what it actually does, and as far as I can see it is not in the
ubuntu repositories. I will give it a chance and look into it, to see
how it works. Meanwhile, can anyone help me with my request for changing
the authentification process to request key authentication followed by
UNIX user authentication when connecting via ssh, as this is the most
important to me.

-komputes




More information about the ubuntu-users mailing list