Authentication w/ key + password

Jason Wright jasonwright365 at
Wed Sep 3 04:32:17 EST 2008

I have read archives about two-factor authentication on this list and
it is interesting and can open up a can of worms. I don't intend on
opening a can of worms or spur debate.

As far as I can tell, authentication to openssh can be performed by
signing a connection request with a private client key & having the
server decrypt the key with the public key.
The other way to authenticate (of which I am interested in) is to use
a password which is verified through PAM, etc.
In both instances communication from the server is signed with the
server's private key to ensure authenticity of the server.

As far as I can tell, there is no way to authenticate with both
mechanism. (client key + password)

I have looked at the source and have some ideas, but if I could get
steered in the right direction of how to change openssh to allow both
authentication methods, I would appreciate that.

As a side note, my ideal authentication method for authenticating the
client is as follows:
public key authentication
password defined by password rules with required change intervals
One-time-password / pseudo random password
(combining static passwords with OTP / pseudo random passwords would
be more appropriate for a RADIUS (maybe PAM) implementation)

Again I don't want to cause controversy. I understand there are
differences between smartcards, OTP, pseudo random number generators,
encryption keys. There are security measures, conveniences, etc.
needed to consider for all of these methods. I just want to modify
openssh to fit my needs. Any help would be appreciated.

Jason Wright

More information about the openssh-unix-dev mailing list