Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source

Damien Miller djm at mindrot.org
Thu Jun 4 09:13:46 AEST 2020


On Wed, 3 Jun 2020, mailto428496 wrote:

> I don't see a way to do this currently (unless I am missing something) 
> but I would like to be able to specify, that in order for a user to 
> login, they need to use at least 1 public key from 2 separate key 
> sources.  Specifically this would be when using "AuthenticationMethods 
> publickey,publickey".  Right now requiring 2 public keys for 
> authentication will allow 2 public keys from any authorized key source 
> specified without distinction.  I would like a way to say, require 1 key 
> from source A and 1 key from source B.
> 
> Like if there was a way to specify something like this for example:
> 
> AuthenticationMethods publickey[1],publickey[2]
> 
> AuthorizedKeysCommand[1] <source_a_command_script>
> 
> AuthorizedKeysCommand[2] <source_b_command_script>
> 
> and the same for AuthorizedKeysFile (for our needs multiple commands 
> would be fine, but might as well support it for both)

There's no way to do this at present. If we can figure out a good
syntax for expressing it, then we could add it (a few people have
asked for similar things before).

-d


More information about the openssh-unix-dev mailing list