How can I make SSH with an identity file always demand a password?

Stuart Henderson stu at spacehopper.org
Mon Aug 23 20:18:47 AEST 2021


On 2021/08/21 20:19, matthewhtb at danwin1210.me wrote:
> Hello,
> 
> I hope my question is apt for this list.
> 
> I am using OpenSSH_8.2p1 on Ubuntu 20.04.
> 
> I connect to a remote SSH server with the -i /path/to/file identity file
> option. My local machine asks me for a password for the identity file.
> This is because I created a password when using ssh-keygen.
> 
> However, after I exit from the SSH server, and log back in I am not asked
> for a password. Some kind of caching is happening.
> 
> Is there a way to force the password to be asked on every occasion when
> using an identity file?
> 
> I have searched but it looks as if everyone wants to avoid using
> passwords, not deliberately attempting to use them.

Other replies have looked at this from the client side and agent caching,
but you can also require on the server that a password *as well as* a
public key is offered. That also guards against users who did not use
a password/passphrase to protect their key. See sshd_config(5):

  AuthenticationMethods
           Specifies the authentication methods that must be successfully
           completed for a user to be granted access.  This option must be
           followed by one or more lists of comma-separated authentication
           method names, or by the single string any to indicate the default
           behaviour of accepting any single authentication method.  If the
           default is overridden, then successful authentication requires
           completion of every method in at least one of these lists.

           For example, "publickey,password publickey,keyboard-interactive"
           would require the user to complete public key authentication,
           followed by either password or keyboard interactive authentication.
           Only methods that are next in one or more lists are offered at each
           stage, so for this example it would not be possible to attempt
           password or keyboard-interactive authentication before public key.

 


More information about the openssh-unix-dev mailing list