SSH multi factor authentication

Nico Kadel-Garcia nkadel at
Sun Jul 10 00:47:34 AEST 2016

On Sat, Jul 9, 2016 at 10:30 AM, Ben Lindstrom <mouring at> wrote:

> You'd do this by either moving the authorized_keys to another a root owned
> location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile
> /etc/ssh/keys/authorized_keys.%u).  Or you use "AuthorizedKeysCommand" and
> put the keys into a "database" to reference them via a simple root-owned
> program.

Yeah, that's doable. It's very rare, though. Many people prefer not to
touch the default sshd_config if they can avoid it. And maintaining
those keys as the root user to lock these credentials may not be work
most admins want to take on.

> Personally I'd use the AuthorizedKeysCommand for this setup as it would
> provide for a better programmatic way of managing keys.
> - Ben

Then you have to write, or activate and maintain, yet another tool.
Feasible, but not many folks consider it worth the work. I've *done*
things like that, way back with some "one-time password" tools I used
back in the remote 9600 baud modem era.

More information about the openssh-unix-dev mailing list