Extra parameters for PreferredAuthentications shouldn't be needed here.

I strongly suspect what you have is an encrypted key -- an encrypted key needs a password to gain access to the key.  (The password isn't actually sent to the remote system like it would be with password authentication.)

You don't have to do anything special, just set that key up... if it's not the default identity key for your account, you may have to pass a parameter telling it to use that key.  When you run ssh, it'll ask for the password for the key, then it'll use that to access the key, and send the key to the customer.

To automate this, you will just put those same prompts you see interactively into your Expect script.

(I sent you an email saying more or less the same thing a week or so ago. )


On 9/5/24 10:12 AM, Jay Vaughn wrote:
I'll go get clarity but based on all the info I've received so far it is
both ssh key and password auth during the client server connection.

ONLY thing I think that may be a possibility is
PreferredAuthentications=Keyboard-Interactive

In which case, perhaps both can be applied? I don't know.

Let me clarify the request.

thanks Patrick

Jay

On Thu, Sep 5, 2024 at 11:02 AM Patrik Schindler <poc@xxxxxxxxxx> wrote:

Hello Jay,

Am 05.09.2024 um 16:44 schrieb Jay Vaughn <jeffersonvaughn@xxxxxxxxx>:

that's what I thought Patrick... and this customer has MANY vendors they
work with in the product and every vendor is either SSH Key validated OR
password... but now they have a vendor that requires both.
So yes, both authentication methods have to happen.
I'm not aware that is is even possible. To my current knowledge, ssh
authentication does not "stack". Once one method succeeds, the rest is
skipped.

Is that possible, from the IBM i client side.
I guess this is not a special IBM i thing but a generic OpenSSH topic.
Maybe this helps you searching for clues?

for password auth I utilize the EXPECT script.... But really we don't
need
to muddy the picture with that... Just need to know when we spawn the
sftp.. is there a way to tell the process we should authenticate both
keys
and password?
Are you 100% sure you're talking about Key- and Password authentication
taking place? Or are you perhaps using a password protected private key
file?

The key is encrypted with the password hash and to be used it must be
first decrypted. All of this is a purely local procedure. You can even use
ssh-keygen to remove the passphrase, so you can use the unencrypted key for
authentication. Once that keyfile is copied by unauthorized thirds, bad
things may happen. But I guess you're aware of that?

Search for "ssh-keygen manpage" on the internet to see how to change the
password or remove it with the -p parameter.

:wq! PoC



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.