-
What I am trying to accomplish
On a windows machine and on a linux machine I want to be able to SSH into my server.
I want to use separate Public/private keys for each machine.
I want to require a password, an SSH key, and TOTP to login.What I have done
I have followed several guides and even different documentation on how to set this up. Multiple people and guides suggest that what I am trying to accomplish is possible. In addition, why would it be that a user can log in from one machine to the server?
I have a root and a second account set up to use 2fa and ssh on both machines. On linux it knows which to use due to magic (not sure how, but it does (I am using ubuntu if it helps), on windows I tell which profile to use which .pub file via putty).
I have tried both a manual setup (copy/pasta) of my ssh codes into authorized_keys file for both users using the correct keys, and I have also set it up where the SSH key from the windows user is in the authorized_keys file first then hopped over to the linux box and used ssh-copy-id command to append the linux public key to the servers authorized key file for each respective user.
What ends up happening
Only the ssh code that is last in the file is able to be detected. So if I have the windows ssh key last, then that works. If I have the linux ssh key last then only that works.
I genuinely do not understand why this is being such a pain. at this point its looking like a separate user for each machine will be used which isnt the end of the world, but is not most ideal.
Any tribal knowledge anyone has about this?
Oh, one other thing to share, in my
/etc/ssh/sshd_configfileI have
AuthenticationMethods publickey,password publickey,keyboard-interactive
AND
PubkeyAuthentication yes@subtlecourage said in 2 RSA SSH Keys per user on server:
I want to require a password, an SSH key, and TOTP to login.
By password do you mean SSH private key password OR ssh login password? Is there any reason why you want all these 3 enabled together? If it's for security, having SSH login and protecting your SSH key with a password is already mighty secure.
Only the ssh code that is last in the file is able to be detected. So if I have the windows ssh key last, then that works. If I have the linux ssh key last then only that works.
Just guessing... maybe some new line issue? Note that in authorized_keys, each key has to be in a single line. So, there must only be a total of 2 lines in that file (with your 2 keys).
-
@subtlecourage said in 2 RSA SSH Keys per user on server:
I want to require a password, an SSH key, and TOTP to login.
By password do you mean SSH private key password OR ssh login password? Is there any reason why you want all these 3 enabled together? If it's for security, having SSH login and protecting your SSH key with a password is already mighty secure.
Only the ssh code that is last in the file is able to be detected. So if I have the windows ssh key last, then that works. If I have the linux ssh key last then only that works.
Just guessing... maybe some new line issue? Note that in authorized_keys, each key has to be in a single line. So, there must only be a total of 2 lines in that file (with your 2 keys).
-
@girish Yeah, purely for security.
The odd thing is that there are only two lines, one key per line.
Is there a setting somewhere that I have to set to enable multiple ssh keys per user? I thought it just worked out of the box.
-
@subtlecourage if you SSH key is long there is really no security advantage of also adding a password, what would make more sense instead is to put a password on the SSH key instead, so if that one is leaked that one has to be broken first.
-
@nebulon Ok, thats fine. I can add long password's to my ssh keys, but Im still stuck with only being able to ssh from one machine per user.
Do I really need a separate user per machine I ssh in from?
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile) -
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile)@nebulon said in 2 RSA SSH Keys per user on server:
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile)In the
~/.ssh/authorized_keysfile, I have two SSH keys foruser1.SSH key1 is for computer1 and is on line1.
SSH key2 is for computer2 and is on line2.Whichever key is on line 2, that is the machine that can SSH into my server.
If I use the above set up staying the same, and I try to SSH using
user1'scomputer1SSH key I getNo supported authentication methods available (Server sent: publickey)If I switch the position of the keys so
User1'scomputer1key is on line2, then I am able to login successfully.Based off of this, do I have to make a separate user with sudo access for each machine I am going to SSH into the server from?
-
@nebulon said in 2 RSA SSH Keys per user on server:
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile)In the
~/.ssh/authorized_keysfile, I have two SSH keys foruser1.SSH key1 is for computer1 and is on line1.
SSH key2 is for computer2 and is on line2.Whichever key is on line 2, that is the machine that can SSH into my server.
If I use the above set up staying the same, and I try to SSH using
user1'scomputer1SSH key I getNo supported authentication methods available (Server sent: publickey)If I switch the position of the keys so
User1'scomputer1key is on line2, then I am able to login successfully.Based off of this, do I have to make a separate user with sudo access for each machine I am going to SSH into the server from?
@subtlecourage this sounds like a config issue you need to adjust, not keys or users.
-
@nebulon said in 2 RSA SSH Keys per user on server:
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile)In the
~/.ssh/authorized_keysfile, I have two SSH keys foruser1.SSH key1 is for computer1 and is on line1.
SSH key2 is for computer2 and is on line2.Whichever key is on line 2, that is the machine that can SSH into my server.
If I use the above set up staying the same, and I try to SSH using
user1'scomputer1SSH key I getNo supported authentication methods available (Server sent: publickey)If I switch the position of the keys so
User1'scomputer1key is on line2, then I am able to login successfully.Based off of this, do I have to make a separate user with sudo access for each machine I am going to SSH into the server from?
-
Multiple keys are definitely supported and you don't need to create separate users. In fact, this is how the Support -> Remote Access feature works. It adds our public ssh key to authorized_keys and then allows Cloudron team as well as the user to simultaneously ssh. You probably know already but to clear this is not something we implemented, this is just a standard linux feature.
Not sure why it's not working for you, but I would just spin up a new VPS and put two SSH keys there and test it from there. Then try to compare with the changes you made in sshd etc.
-
@nebulon said in 2 RSA SSH Keys per user on server:
@subtlecourage not exactly sure what you mean by this. You can keep many SSH keys in your laptop and provision different server with different keys. The SSH key on the client can be used for any user on the remote end, for which the server knows and accepts the public key part (ie stored in the user's
~/.ssh/authorized_keysfile)In the
~/.ssh/authorized_keysfile, I have two SSH keys foruser1.SSH key1 is for computer1 and is on line1.
SSH key2 is for computer2 and is on line2.Whichever key is on line 2, that is the machine that can SSH into my server.
If I use the above set up staying the same, and I try to SSH using
user1'scomputer1SSH key I getNo supported authentication methods available (Server sent: publickey)If I switch the position of the keys so
User1'scomputer1key is on line2, then I am able to login successfully.Based off of this, do I have to make a separate user with sudo access for each machine I am going to SSH into the server from?
@subtlecourage I'm not sure on which machine you get this message now, but have you checked for file permissions (chmod) on your RSA keys that could also be a factor.
Andy
