Re: Requiring certificate signature and an authorized key to authenticate

Erik Johnston erikj-openssh at
Fri Jun 28 21:07:42 AEST 2019

Thanks Damien, that broadly aligns with my understanding.

On Fri, 28 Jun 2019, at 03:46, Damien Miller wrote:
> I'm certainly open to implementing the other parts that are needed to
> pure-pubkey MFA, but I'm unsure what the sshd configuration UI would
> look like. So let me ask: how would you like it to work?

I've been thinking what the configuration could look like over the past few days, and really it feels like the options depend on how configurable we'd like to make things in the future.

Where I've broadly ended up is allowing configurable auth stages, something akin to:

AuthenticationMethods: custom_stage,pubkey

AuthStage custom_stage
    AuthenticationMethod: pubkey
    AuthorizedKeysFile: authorized_ca_file

i.e. where you take an existing auth method but allow it to be configured. This could then (?) be later extended to allow adding additional restrictions based on the stages used to authenticate, e.g. only allow running a commad, IP locking, etc akin to the restrictions that can be added to authorized keys file. This feels like the most generic solution that'll most easily support further extensions to the auth flows.

The downside here (other than complexity to implement) is that the authentication flows are now potentially convoluted, making it harder for operators to check that the settings are secure at a glance and making it easier to misconfigure it. Though given the way that auth can be delegated to PAM the horse may have bolted somewhat on that one.

On the other hand just allowing the auth stages to have some (minimal) configuration as part of the `AuthenticationMethods` line may be the right approach by virtue of its sheer simplicity.

(I was planning on having a bit more of a poke of the code base to try and figure out a bit what sort of things would be feasible to add without too much work, but haven't managed to get that far yet.)

On 28/06/2019 07:28, Jakub Jelen wrote:
> As already said, there is no simple way to do this in OpenSSH itself.
> But since few releases back, the OpenSSH can publish [1] what
> authentication was used in OpenSSH for PAM, which can in the end do the
> final decision whether the authentication was valid or not (two public
> keys or one of the valid certificate).

Ah, I hadn't realised this! Thanks for pointing it out, that sounds like it could be really quite useful indeed.

More information about the openssh-unix-dev mailing list