SSH multi factor authentication

Damien Miller djm at
Mon Jul 4 16:04:23 AEST 2016

On Sun, 3 Jul 2016, Stephen Harris wrote:

> On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> > One, the Google Authenticator (OTP authentication).
> On its own, this is not 2FA.  It's single factor ("something you
> have").
> A combination of Google Authenticator _and_ password is 2FA.  This is
> easy to do with PAM.


> > Two, Public/Private key authentication (pubkeyauthentication = yes) which
> > supports pass phrase private key authentication.
> This is 2FA in that you need the private key and the passphrase for it.

I don't agree - being able to unlock a private key is just part of
"possessing" it.

OTOH publickey+password authentication could be considered 2FA. Ideally
with the key rendered practically uncloneable by holding it on a token, etc.


More information about the openssh-unix-dev mailing list