Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source

Brian Candler b.candler at
Wed Jun 3 19:11:30 AEST 2020

On 03/06/2020 09:30, mailto428496 wrote:
> Let me also give an example of why I am interested in this, for 
> context.  We would like to associate two different types of public 
> keys with each user's account.  One would be a "client machine" public 
> key (of which there could be several, if the user is allowed to login 
> from multiple systems) and the other would be a public key from a user 
> token, such as a smartcard (we don't want 2 "client machine" public 
> keys to be able to be combined to bypass the user's token login).  A 
> (poor) workaround is to use the same private key on all of the users 
> machines but I would prefer not to do this, both in general for 
> security reasons and also so that if a user's machine is lost, stolen 
> or we just want to deauthorize it, the pubkey for that machine can be 
> removed from the database. 

I can't answer your question directly, but I do run a somewhat 
comparable setup. In my case, the user token is a Yubikey running in its 
original OTP mode rather than as a smartcard, which lets me combine 
publickey with keyboard-interactive.

==> sshd_config <==

# Policy for authentication
AuthenticationMethods publickey,keyboard-interactive:pam

# From office and VPN addresses, 2FA not required
Match Address,,fd00::/8
AuthenticationMethods publickey

==> /etc/pam.d/ssh <==

#@include common-auth
auth sufficient id=XXXX key=XXXX debug 
authfile=/etc/yubikey_mapping mode=client

==> /etc/yubikey_mapping <==


Note that the server needs to be able to make outbound HTTPS calls to 
the Yubikey OTP validation API (at least, if you don't want to run your 
own key management infrastructure)


It seems the underlying use case here is you want to certify each client 
device individually, as well as the user holding the token.

I can suggest another way to achieve that: use a U2F (FIDO) security 
token with ecdsa-sk keys.

You generate a new ecdsa-sk pair on each device, but wrapped with the 
same FIDO token.  You put all of those public keys in your 
authorized_keys file.  In order to login, the user requires any one of 
the devices containing an authorized ecdsa-sk private key *and* its 
passphrase *and* the correct FIDO token to unlock it. If a device is 
stolen, you can disable just the ecsda-sk key for that device.  If the 
FIDO token is stolen, then all keys are useless and you'll need to rekey 
all devices with a new token.

This works well (and FIDO tokens are cheap), but requires openssh 8.2+ 
at both client and server side.

One other idea which is closer to your original intent: would it be 
possible to use the smartcard to decrypt the private key on each 
device?  In other words, you want an ssh-agent which doesn't use your 
smartcard to authenticate, but uses your smartcard to decrypt the stored 
private key which is then used to authenticate.  I don't know if such a 
thing exists.



More information about the openssh-unix-dev mailing list