Requiring certificate signature and an authorized key to authenticate

[Damien Miller]

On Tue, 25 Jun 2019, Erik Johnston wrote:

> Hey everyone,
>
> Basically, I'm trying to figure out if I can configure sshd to require
> that the user has a key that has been signed by a trusted user CA
> *and* is listed separately as an authorised key (or the user has a
> signed key and a different authorised key)?
>
> The closest I've come is having an `authorized_keys` file have
> two entries consisting of the CA key and a normal key with
> `AuthenticationMethods: publickey,publickey` option set, so that sshd
> requires that a user produces both the normal key and a signed key.
> This works, but means a user can't then have multiple keys (e.g. one
> per device), and feels somewhat brittle in that adding a key to that
> file breaks the requirement that the user presents a signed key.

There's no good way to express multi-factor authentication using just
keys in sshd_config at the moment. You've hit on what is the closest
that you can do - listing each of the keys that you require and
setting AuthenticationMethods=publickey,publickey

This only happens to work because most* versions of sshd will refuse
to allow a single public key to pass multiple required authentications.
That this allows MFA using pubkeys only isn't quite accidental behaviour
(I had this case in mind when I implemented it), but its still a long
way from a proper system.

I'm certainly open to implementing the other parts that are needed to
pure-pubkey MFA, but I'm unsure what the sshd configuration UI would
look like. So let me ask: how would you like it to work?

I guess the cert+plain key combo is likely to be a fairly common
requirment. Maybe we could bundle the keys required into the
AuthenticationMethods line, e.g.

AuthenticationMethods publickey:CA/9+CulD19jyl0DEPteRcXM8uVbYsG3MgbSslrgXkt458,publickey

-d

* versions prior to 6.8 didn't enforce this