I have configured PKCS#11 remote ssh connection on my Ubuntu server such that users can login to it using a hardware token, as described here. However, in this condition, the user can login to the server and remove the token and give it to someone else for login. I want to restrict the user such that when he removes the token, he could not keep the connection to my server anymore (or after a short time). E.g. I want to configure continuous dependency on the token. Is it necessary to develop a specific SSH client? Currently, I use Putty-CAC as the client.
Asked
Active
Viewed 780 times
1
sajad
- 175
- 1
- 1
- 6
-
Are your clients using Windows or Linux? – u1686_grawity Feb 16 '22 at 17:49
-
@user1686: They are using Windows. – sajad Feb 17 '22 at 07:30
1 Answers
1
No, that's not possible without client modifications – user authentication in SSH is performed only once for the entire connection, as well as being client-initiated in the first place.
SSHv2 does support rekeying, which may even be server-initiated, but it only creates a dependency on the server's "host" keypair, not the user's.
Though the "gssapi-keyex" mechanism might be an exception as it merges Kerberos user authentication into the key exchange method and therefore depends on the user having non-expired Kerberos tickets, but if you're using PKCS#11 then you're not using Kerberos.
(I could also think of a hack that involves loading your PKCS#11 token into Pageant-CAC (PuTTY's SSH key agent), then enabling SSH "agent forwarding" so that the server could periodically request signatures from the forwarded agent... but this of course has the massive downside of allowing the PKCS#11 token to be abused by malicious servers through the same "agent forwarding" feature.)
Maybe treat it as a company policy problem and impose consequences on account sharing.
u1686_grawity
- 426,297
- 64
- 894
- 966