Centos – Force password for ssh login

centoscentos6centos7ssh

I have two servers with CentOS6 and CentOS7.

Both of them has SSH access. My client computer has Ubuntu 16.04.

For CentOS6 I can login with command

ssh -i ~/.ssh/serv1 root@serv1

but command

ssh root@serv1

prompts the password. It is ok for me.

For CentOS7 I can login with command

ssh -i ~/.ssh/serv2 root@serv2

but command

ssh root@serv2

DO NOT prompts the password. I can login successfully too.

When I do 'ssh root@serv2' from some another computer ssh prompts the passwords, it is ok.

The question is: why I can login to serv2 without password and without ssh key with command

ssh -i ~/.ssh/serv2 root@serv2

I can't find option responsible for it and can't find is this standard behavior for CentOS7.

Tell me if additional info needed.

Best Answer

This is because you have your identity (public key) added as authorized key on serv2 in /root/.ssh/authorized_keys. See man sshd section AUTHORIZED_KEYS FILE FORMAT for more information on this file.

Your default identity are stored in ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_rsa, id_ed25519 files and similar files ending with .pub storing respective public keys. When you try to log to any remote ssh without specifying '-i' option, these are offered to remote server. If the remote server has any of these stored under their ~/.ssh/authorized_keys then you can log in with that key (i.e. without password). Because password based and public-key based are two different methods of authorizing remote user.

When you are specifying '-i' option, you are just presenting a different public key, stored in that file.

Also you can always run ssh with '-v' option to get more details about which key method/public key was accepted by the remote. Like in this example:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/nstorm/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering ECDSA public key: /home/nstorm/.ssh/id_ecdsa
debug1: Server accepts key: pkalg ecdsa-sha2-nistp256 blen 104
debug1: Authentication succeeded (publickey).
Authenticated to 172.16.2.1 ([172.16.2.1]:22).

If you don't want to able to log in on serv2 without password when you don't set your non-default identity with '-i' option, you have to remove your default identity stored on serv2 at /root/.ssh/authorized_keys. It should be the same line as your local ~/.ssh/id_*.pub key.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

SSH login without password

Make sure that:

the authorized_keys has permission 600.
the sybase's $HOME folder and $HOME/.ssh has permission 700 and owned by sybase.

Also take a look at sshd logs on server B, it will tell you more details.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

SSH login without password

Related Topic