ssh login using private key and password
ssh is used to access linux based server and most common way to authenticate for login to server are public key authentication and password authentication. Both have their pros and cons. Public key authentication is secure among two but downside is that private key stored on client machine. Most of people do encrypt it with passphrase but enforcing to use passphrase is not possible. Also, people do not change their ssh keys regularly. Password authentication can be controlled at server end but it’s human nature for people to create passwords that are easily remembered and simple passwords make these accounts vulnerable.
Both authentication method combined can be used for authentication. Password policies can be enforced for password expiry and password strength. ssh configuration for enabling public key and password based authentication for login are:
In /etc/ssh/sshd_config
PasswordAuthentication yes
AuthenticationMethods publickey,passwordFor older version of ssh(openssh-5.3), Try below
PasswordAuthentication yes
RequiredAuthentications2 publickey,passwordReload sshd service [Warning: check ssh status before leaving session after running below command]
systemctl reload sshdAfter implemention, Jenkins server and other automation tools based on ssh were not working due to password prompt. So, i use match directive to exclude IPs.
PasswordAuthentication no
Match Address "*,!10.0.0.101"
PasswordAuthentication yes
AuthenticationMethods publickey,passwordPassword authentication is disabled by default as per above configuration. For ip <10.0.0.101>, only public key authentication work without password and for other ip’s, public key and password authentication works.