feature request in sshd: require both "pubkey" & "password"

Dan Kaminsky dan at doxpara.com
Sun Feb 10 08:17:20 EST 2002


> > I have a feature request in sshd.  A feature that only allows user who
> > passes both public key and password authentication to login.
>
> I wrote such a patch, that implements ordered requirements. (e.g.
publickey
> _then_ password). The feedback from Markus was that the functionality (not
> the code) was too complicated. He said he wanted something simple, like a
> bitfield, without ordering. Since that doesn't meet my requirements, I
> guess I'm stuck maintaining forked code (*sigh*). But if someone else
> wanted to do the less-functional patch, it might be accepted.

What security advantage do you perceive through ordered requirements?  AND
ops generally commute.

If there was an external access authenticator, like a small app that
communicated with a smart card or external database, then ordered
requirements would be appropriate:  For example, you might want to verify
somebody had a local passphrase and a global(i.e. external) password, but
not challenge for global password until the local side was satisfied.

--Dan





More information about the openssh-unix-dev mailing list