"Semi-Trusted" SSH-Keys that also require PAM login

Brian Candler b.candler at pobox.com
Thu Oct 22 18:34:35 AEDT 2020


On 22/10/2020 00:12, Jan Bergner wrote:
> TL;DR: Let us rephrase the question to "How can I require an 
> additional layer of authentication for certain SSH keys, but not for 
> all of them?" 

Would it be sufficient to have an additional layer of authentication 
when the client connects from address X, but not address Y?  That is, 
you are allowed to skip 2FA when connecting from a trusted IP address?

AuthenticationMethods publickey,password

Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
AuthenticationMethods publickey




More information about the openssh-unix-dev mailing list