-
@subtlecourage said in 2 RSA SSH Keys per user on server:
I want to require a password, an SSH key, and TOTP to login.
By password do you mean SSH private key password OR ssh login password? Is there any reason why you want all these 3 enabled together? If it's for security, having SSH login and protecting your SSH key with a password is already mighty secure.
Only the ssh code that is last in the file is able to be detected. So if I have the windows ssh key last, then that works. If I have the linux ssh key last then only that works.
Just guessing... maybe some new line issue? Note that in authorized_keys, each key has to be in a single line. So, there must only be a total of 2 lines in that file (with your 2 keys).
-
@girish Yeah, purely for security.
The odd thing is that there are only two lines, one key per line.
Is there a setting somewhere that I have to set to enable multiple ssh keys per user? I thought it just worked out of the box.
-
@subtlecourage if you SSH key is long there is really no security advantage of also adding a password, what would make more sense instead is to put a password on the SSH key instead, so if that one is leaked that one has to be broken first.
-
@nebulon Ok, thats fine. I can add long password's to my ssh keys, but Im still stuck with only being able to ssh from one machine per user.
Do I really need a separate user per machine I ssh in from?
-
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile) -
@nebulon said in 2 RSA SSH Keys per user on server:
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile)In the
~/.ssh/authorized_keysfile, I have two SSH keys foruser1.SSH key1 is for computer1 and is on line1.
SSH key2 is for computer2 and is on line2.Whichever key is on line 2, that is the machine that can SSH into my server.
If I use the above set up staying the same, and I try to SSH using
user1'scomputer1SSH key I getNo supported authentication methods available (Server sent: publickey)If I switch the position of the keys so
User1'scomputer1key is on line2, then I am able to login successfully.Based off of this, do I have to make a separate user with sudo access for each machine I am going to SSH into the server from?
-
@subtlecourage this sounds like a config issue you need to adjust, not keys or users.
-
@subtlecourage I think the file then is just malformatted, since multple keys, each on their own line are supported.
-
Multiple keys are definitely supported and you don't need to create separate users. In fact, this is how the Support -> Remote Access feature works. It adds our public ssh key to authorized_keys and then allows Cloudron team as well as the user to simultaneously ssh. You probably know already but to clear this is not something we implemented, this is just a standard linux feature.
Not sure why it's not working for you, but I would just spin up a new VPS and put two SSH keys there and test it from there. Then try to compare with the changes you made in sshd etc.
-
@subtlecourage I'm not sure on which machine you get this message now, but have you checked for file permissions (chmod) on your RSA keys that could also be a factor.
Andy
