Authentication w/ key + password

Rainer Laatsch Laatsch at uni-koeln.de
Wed Sep 3 05:42:13 EST 2008


If your home dir is on local disk or (standard) nfs (without access 
control enforcement like in AFS NFS4 e.g) the ssh login with an ssh-key 
enabled in your .ssh/authorized_keys should work. Alternative password 
authentication is best be done via PAM (not /etc/shadow). A quick lookup 
with google yields:
  http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/\
    chap16sec132.html
Regards,
Rainer Laatsch

On Tue, 2 Sep 2008, Jason Wright wrote:

> I have read archives about two-factor authentication on this list and
> it is interesting and can open up a can of worms. I don't intend on
> opening a can of worms or spur debate.
>
> As far as I can tell, authentication to openssh can be performed by
> signing a connection request with a private client key & having the
> server decrypt the key with the public key.
> The other way to authenticate (of which I am interested in) is to use
> a password which is verified through PAM, etc.
> In both instances communication from the server is signed with the
> server's private key to ensure authenticity of the server.
>
> As far as I can tell, there is no way to authenticate with both
> mechanism. (client key + password)
>
> I have looked at the source and have some ideas, but if I could get
> steered in the right direction of how to change openssh to allow both
> authentication methods, I would appreciate that.
>
>
> As a side note, my ideal authentication method for authenticating the
> client is as follows:
> public key authentication
> password defined by password rules with required change intervals
> One-time-password / pseudo random password
> (combining static passwords with OTP / pseudo random passwords would
> be more appropriate for a RADIUS (maybe PAM) implementation)
>
>
> Again I don't want to cause controversy. I understand there are
> differences between smartcards, OTP, pseudo random number generators,
> encryption keys. There are security measures, conveniences, etc.
> needed to consider for all of these methods. I just want to modify
> openssh to fit my needs. Any help would be appreciated.
>
> Thanks,
> Jason Wright
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list