SSH – identify which users still login using passwords

ssh

I have an Ubuntu Linux server allowing password authentication for SSH, and I want to switch it to SSH keys only and disable password login.

Before I disable password login, how can I find out which users are still using passwords, and which have switched to key authentication?

Best Answer

You can't do that 100% reliably, but there are two strong indications:

First, the presence of a .ssh/authorized_keys file is a hint the user is at least prepared to use key based login
Second, in the authentication log file (/var/log/secure on CentOS, /var/log/auth.log on Debian/Ubuntu), the auth method will be logged:
```
Sep 28 13:44:28 hostname sshd[12084]: Accepted publickey for sven
```
vs
```
Sep 28 13:47:36 hostname sshd[12698]: Accepted password for sven
```
Scan the log for entries with password mentioned to learn who is still using passwords. This will not work with users seldom logging in of course unless you have very long log retention.

Related Solutions

Ssh – Enforce SSH key passwords

The passphrase that can be set on the private key is unrelated to the SSH server or the connection to it. Setting a passphrase to the private key is merely a security measure the key owner may take in order to prevent access to his remote shell by a third party in case the private key gets stolen.

Unfortunately, you cannot force users to secure their private keys with passphrases. Sometimes, unprotected private keys are required in order to automate access to the remote SSH server. One good habit I highly recommend for such cases is to advise the users to hash the known_hosts file (stored at ~/.ssh/known_hosts), which keeps information about the remote hosts the user connects to, using the following command:

ssh-keygen -H -f ~/.ssh/known_hosts

This way, even if a third party gained access to an unprotected private key, it would be extremely difficult to find out for which remote hosts this key is valid. Of course, clearing the shell history is mandatory for this technique to be of any value.

Also, another thing you should always bear in mind, is not allow root to login remotely by adding the following in your SSH server's configuration (sshd_config):

PermitRootLogin no

On the other hand, if you want to prevent users from using keys to authenticate, but instead use passwords, you should add the following to your sshd_config:

PasswordAuthentication yes
PubkeyAuthentication no

SSH use only the password, Ignore the ssh key, don’t prompt me for a passphrase

Try ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no host.example.org

In ssh v2, keyboard-interactive is another way to say "password". The -o PubkeyAuthentication=no option instructs the client not to attempt key pair authentication.

In addition, the PasswordAuthentication=yes option is to override any previously configured ssh options that may have disabled it.

Best Answer

Related Solutions

Ssh – Enforce SSH key passwords

SSH use only the password, Ignore the ssh key, don’t prompt me for a passphrase

Related Topic