Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    2 RSA SSH Keys per user on server

    Discuss
    ubuntu ssh
    5
    11
    457
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      subtlecourage last edited by girish

      What I am trying to accomplish

      On a windows machine and on a linux machine I want to be able to SSH into my server.
      I want to use separate Public/private keys for each machine.
      I want to require a password, an SSH key, and TOTP to login.

      What I have done

      I have followed several guides and even different documentation on how to set this up. Multiple people and guides suggest that what I am trying to accomplish is possible. In addition, why would it be that a user can log in from one machine to the server?

      I have a root and a second account set up to use 2fa and ssh on both machines. On linux it knows which to use due to magic (not sure how, but it does (I am using ubuntu if it helps), on windows I tell which profile to use which .pub file via putty).

      I have tried both a manual setup (copy/pasta) of my ssh codes into authorized_keys file for both users using the correct keys, and I have also set it up where the SSH key from the windows user is in the authorized_keys file first then hopped over to the linux box and used ssh-copy-id command to append the linux public key to the servers authorized key file for each respective user.

      What ends up happening

      Only the ssh code that is last in the file is able to be detected. So if I have the windows ssh key last, then that works. If I have the linux ssh key last then only that works.

      I genuinely do not understand why this is being such a pain. at this point its looking like a separate user for each machine will be used which isnt the end of the world, but is not most ideal.

      Any tribal knowledge anyone has about this?

      Oh, one other thing to share, in my /etc/ssh/sshd_config file

      I have
      AuthenticationMethods publickey,password publickey,keyboard-interactive
      AND
      PubkeyAuthentication yes

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @subtlecourage last edited by

        @subtlecourage said in 2 RSA SSH Keys per user on server:

        I want to require a password, an SSH key, and TOTP to login.

        By password do you mean SSH private key password OR ssh login password? Is there any reason why you want all these 3 enabled together? If it's for security, having SSH login and protecting your SSH key with a password is already mighty secure.

        Only the ssh code that is last in the file is able to be detected. So if I have the windows ssh key last, then that works. If I have the linux ssh key last then only that works.

        Just guessing... maybe some new line issue? Note that in authorized_keys, each key has to be in a single line. So, there must only be a total of 2 lines in that file (with your 2 keys).

        S 1 Reply Last reply Reply Quote 0
        • S
          subtlecourage @girish last edited by

          @girish Yeah, purely for security.

          The odd thing is that there are only two lines, one key per line.

          Is there a setting somewhere that I have to set to enable multiple ssh keys per user? I thought it just worked out of the box.

          nebulon 1 Reply Last reply Reply Quote 0
          • nebulon
            nebulon Staff @subtlecourage last edited by

            @subtlecourage if you SSH key is long there is really no security advantage of also adding a password, what would make more sense instead is to put a password on the SSH key instead, so if that one is leaked that one has to be broken first.

            S 1 Reply Last reply Reply Quote 1
            • S
              subtlecourage @nebulon last edited by

              @nebulon Ok, thats fine. I can add long password's to my ssh keys, but Im still stuck with only being able to ssh from one machine per user.

              Do I really need a separate user per machine I ssh in from?

              nebulon 1 Reply Last reply Reply Quote 0
              • nebulon
                nebulon Staff @subtlecourage last edited by

                @subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's ~/.ssh/authorized_keys file)

                S 1 Reply Last reply Reply Quote 0
                • S
                  subtlecourage @nebulon last edited by

                  @nebulon said in 2 RSA SSH Keys per user on server:

                  @subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's ~/.ssh/authorized_keys file)

                  In the ~/.ssh/authorized_keys file, I have two SSH keys for user1.

                  SSH key1 is for computer1 and is on line1.
                  SSH key2 is for computer2 and is on line2.

                  Whichever key is on line 2, that is the machine that can SSH into my server.

                  If I use the above set up staying the same, and I try to SSH using user1's computer1 SSH key I get

                  No supported authentication methods available (Server sent: publickey)

                  If I switch the position of the keys so User1's computer1 key is on line2, then I am able to login successfully.

                  Based off of this, do I have to make a separate user with sudo access for each machine I am going to SSH into the server from?

                  robi nebulon micmc 3 Replies Last reply Reply Quote 0
                  • robi
                    robi @subtlecourage last edited by

                    @subtlecourage this sounds like a config issue you need to adjust, not keys or users.

                    Life of Advanced Technology

                    1 Reply Last reply Reply Quote 0
                    • nebulon
                      nebulon Staff @subtlecourage last edited by

                      @subtlecourage I think the file then is just malformatted, since multple keys, each on their own line are supported.

                      1 Reply Last reply Reply Quote 0
                      • girish
                        girish Staff last edited by

                        Multiple keys are definitely supported and you don't need to create separate users. In fact, this is how the Support -> Remote Access feature works. It adds our public ssh key to authorized_keys and then allows Cloudron team as well as the user to simultaneously ssh. You probably know already but to clear this is not something we implemented, this is just a standard linux feature.

                        Not sure why it's not working for you, but I would just spin up a new VPS and put two SSH keys there and test it from there. Then try to compare with the changes you made in sshd etc.

                        1 Reply Last reply Reply Quote 0
                        • micmc
                          micmc @subtlecourage last edited by

                          @subtlecourage I'm not sure on which machine you get this message now, but have you checked for file permissions (chmod) on your RSA keys that could also be a factor.

                          Andy


                          https://marketingtechnology.agency
                          For cutting edge web technologies

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Powered by NodeBB