Authentication

When the SSH agent is running, the ssh-add command can be used to load a SSH key. The SSH agent then will request a password when needed, and load the key details in memory. Adding the SSH key just requires the path to the private key. ssh-add ~/.ssh/id_ed25519 When the key is loaded, use the -l or -L option to show the identities that the SSH agent has. ssh-add -l

The agent forwarding feature in SSH allows using your local SSH agent to be reached through an existing SSH connection. This way you don’t have to store copies of your private keys on intermediate systems to use them for authentication. While SSH agent forward simplifies things, it also introduces a new risk related to Unix domain socket. If a user on the intermediate system can access the related socket, then it may abuse this connection back to the SSH agent to authenticate on your behalf.

The ssh-agent command is started manually using eval $(ssh-agent). This will initiate the SSH agent and make it available for clients, such as ssh, to use it. To confirm that the agent is running is by looking at the SSH_AUTH_SOCK environment variable. Automatic start of SSH agent Gnome Keyring SSH Agent When using Gnome, it typically comes with its SSH agent as part of Keyring. This will automatically load any files in ~/.

The ssh-agent command starts the SSH agent, a helper utility to store private keys when using public key authentication. The ssh-agent process is usually started at the the beginning of a login session and then can be connected to by a SSH client. Clients can detect the environment variable named SSH_AUTH_SOCK. Related settings on the client IdentityAgent

Disable usage of SSH agent identities

Disable check for host authenticity

Use an escape sequence to terminate a connection that is stuck

Remove a passphrase from existing SSH key

How to see the available SSH keys in the OpenSSH authentication agent

Sometimes you might want to check if an account on the system has a password set. One of the reasons is to disable those, so you can enforce that only SSH authentication might be used, for example. There are a few ways to see if a password is set. Using the passwd command The first command that comes to mind is using the passwd command. Normally you would use that to change your password, but it can actually also reveal useful details about existing accounts.

Using pam_tally2 on Linux Most Linux distributions use pluggable authentication modules (PAM). This modular type of configuration allows system administrators to configure and fine-tune the authentication of users. It also defines the behavior on specific events, like providing an invalid user account or password. PAM can use these events to automatically take an action, like locking an account. Introduction to PAM The configuration of PAM is not that hard, but there are risks involved in the process of making changes.

Linux and password strength One of the options to improve password security is by setting a minimum length. This prevents users from choosing easy passwords. As part of Linux system hardening, you don’t want your passwords to be cracked too quickly by modern password crackers. Configuration Let’s have a look at how to configure password security and in particular the length and its strength. Login settings The first area where you can set a password length is in /etc/login.

The world has changed a lot in the last era, especially when it comes to computing. This applies also to the services we run on our Linux systems. Some of these services (like rlogin), were previously the defacto tools to do administration. Now they are considered to be bad and insecure. What makes a service insecure? Services can become insecure when they have characteristics like: No (or weak) authentication No (or weak) encryption Insecure protocols Running as root Authentication insecurities One example might be if a program only requires a password or pin, without any information like an username.

In need of support from a colleague or vendor, but don’t want to give them permanent access? SSH has an option to allow temporary access! Next time you need to provide temporary access for an hour or day, use this great option. Configuration We have two machines for this purpose. One is a system running Arch Linux, the client system. The other one is a server, running Ubuntu Linux. For temporary support, we have created a functional account support on the Ubuntu server.