feature request in sshd: require both "pubkey" & "password"
Dan Kaminsky
dan at doxpara.com
Sun Feb 10 08:17:20 EST 2002
> > I have a feature request in sshd. A feature that only allows user who
> > passes both public key and password authentication to login.
>
> I wrote such a patch, that implements ordered requirements. (e.g.
publickey
> _then_ password). The feedback from Markus was that the functionality (not
> the code) was too complicated. He said he wanted something simple, like a
> bitfield, without ordering. Since that doesn't meet my requirements, I
> guess I'm stuck maintaining forked code (*sigh*). But if someone else
> wanted to do the less-functional patch, it might be accepted.
What security advantage do you perceive through ordered requirements? AND
ops generally commute.
If there was an external access authenticator, like a small app that
communicated with a smart card or external database, then ordered
requirements would be appropriate: For example, you might want to verify
somebody had a local passphrase and a global(i.e. external) password, but
not challenge for global password until the local side was satisfied.
--Dan
More information about the openssh-unix-dev
mailing list