two factor authentication

jacob martinson martinson.jacob at gmail.com
Sun Jul 23 10:08:59 EST 2006


On 7/22/06, Frank Cusack <fcusack at fcusack.com> wrote:
> On July 22, 2006 12:15:07 PM -0500 jacob martinson <martinson.jacob at gmail.com> wrote:
> > Are there any plans on the table to add native support for two-factor
> > authentication, such as password *and* public key?
>
> You can already do that.  Public key is itself already 2-factor --
> something you know (the pin/passcode) and something you have (the
> device on which the public key resides).  Password, via PAM or BSDAUTH,
> allows any two factor device the host (server) system supports.
>

You can?  How can you configure ssh to require both successful
password authentication (via the underlying OS password verification
mechanisms) and public key auth before the user is allowed onto the
system?

Public key is only single factor.  All you need to know to
authenticate is the private key.   There is no way to enforce
passphrase protection of the private from the server's perspective so
- unless I'm missing something - that isn't two-factor.



More information about the openssh-unix-dev mailing list