SSH multi factor authentication

Michael Ströder michael at
Mon Jul 11 02:05:56 AEST 2016

Bruce F Bading wrote:
> There has been some good discussion around our IBM security team as to what
> actually constitutes SSH multi factor authentication.

In general it's worth to put a lot of thinking in this topic considering how SSH
access is used by all your operators. Think of ansible, cluster SSH, fabric and
other automation tools for mass administration of many machines via SSH.

> There are 2 options
> being discussed.
> One, the Google Authenticator (OTP authentication).
> Two, Public/Private key authentication (pubkeyauthentication = yes) which
> supports pass phrase private key authentication.

Security OATH-HOTP or OATH-TOTP relies on keeping a shared secret really secret
and securely authenticate it during enrollment process. Personally I don't
consider a Smartphone to be a secure secret store. YMMV.

> Which of these is considered multi-factor authentication and can you give a
> brief response?  There are different opinions here and your opinion is
> greatly appreciated.

Some valuable security aspects were already pointed out by others.

Especially you have to restrict the management of SSH authorized keys by some means.

Another thing you have to bear in mind is that the usual smart-cards, USB crypto
tokens or similar are pretty slow. For one signature operation most devices
still need at least ~ one second. That does not sound much but can sum up when
accessing managing many machines at once (again: ansible, cluster SSH, fabric).

More information upon request since it might be considered off-topic here.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list