SSH multi factor authentication
Nico Kadel-Garcia
nkadel at gmail.com
Sun Jul 10 00:47:34 AEST 2016
On Sat, Jul 9, 2016 at 10:30 AM, Ben Lindstrom <mouring at eviladmin.org> wrote:
> You'd do this by either moving the authorized_keys to another a root owned
> location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile
> /etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand" and
> put the keys into a "database" to reference them via a simple root-owned
> program.
Yeah, that's doable. It's very rare, though. Many people prefer not to
touch the default sshd_config if they can avoid it. And maintaining
those keys as the root user to lock these credentials may not be work
most admins want to take on.
> Personally I'd use the AuthorizedKeysCommand for this setup as it would
> provide for a better programmatic way of managing keys.
>
> - Ben
Then you have to write, or activate and maintain, yet another tool.
Feasible, but not many folks consider it worth the work. I've *done*
things like that, way back with some "one-time password" tools I used
back in the remote 9600 baud modem era.
More information about the openssh-unix-dev
mailing list