SSH multi factor authentication

Ben Lindstrom mouring at
Sun Jul 10 00:30:57 AEST 2016

Nico Kadel-Garcia wrote:
> On Thu, Jul 7, 2016 at 10:00 AM, Bruce F Bading<badingb at>  wrote:
>> Hi Gentlemen,
>> Thank you both for your valued opinion.  I do however agree that public key
>> authentication cannot be fully considered MFA as have 2 PCI QSAs I have
>> spoken with.  This is because it is not enforceable server side.  Many
>> things can affect client side security.
>> It is distributable and not enforceable at a single point.
>> The key can be regenerated or downloaded again and regenerated to remove
>> the paraphrase making it single factor authentication.
> It's not merely possible. It's popular, and nearly inevitable. And
> unless you can enforce use of a designated public key on the server
> side, for example by breaking ownership checks and making the file and
> directories owned by root with user groupo access, or by
> auto-replacing $HOME/.ssh/authorized_keys, well, the user can replace
> the key at whim with their own insecure key.

You'd do this by either moving the authorized_keys to another a root 
owned location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile 
/etc/ssh/keys/authorized_keys.%u).  Or you use "AuthorizedKeysCommand" 
and put the keys into a "database" to reference them via a simple 
root-owned program.

Personally I'd use the AuthorizedKeysCommand for this setup as it would 
provide for a better programmatic way of managing keys.

- Ben

More information about the openssh-unix-dev mailing list