How can I make SSH with an identity file always demand a password?

Douglas E Engert deengert at gmail.com
Wed Aug 25 22:02:40 AEST 2021 


On 8/24/2021 6:26 PM, Damien Miller wrote:
> On Tue, 24 Aug 2021, Jochen Bern wrote:
> 
>> On 23.08.21 12:18, Stuart Henderson wrote:
>>> Other replies have looked at this from the client side and agent caching,
>>> but you can also require on the server that a password *as well as* a
>>> public key is offered. That also guards against users who did not use
>>> a password/passphrase to protect their key.
>>
>> Or [ fail to use | use a reimplementation that lacks ] the "-c" and "-t"
>> options of ssh-add.
>>
>> However, I seem to remember that at some point (one or two years ago?),
>> there was an announcement that in future versions of OpenSSH, the server
>> side may get *told* whether the auth was done with or without *human*
>> interaction on the client side (i.e., when talking about user keypair
>> auth, passphrase entered vs. straight out of some agent) and could
>> reject a non-interactive attempt, which would satisfy the OP's need. Any
>> news of that, or am I misremembering?
> 
> Someone might have asked, but I would have replied that it would not
> be reliable as the client could simply lie about whether the attempt
> was interactive or not, thereby making it an unreliable signal at the
> server.
> 
> Since then, FIDO keys have come along. The user-presence/user-verified
> bits are probably the closest you can come to this. We fully support
> these, but there are caveats - the biggest of which is that you have
> to implement your own key attestation flow to ensure the keys that
> you're trusting at the server are actually resident on hardware.

One way to do this is with certificate extensions.
I did that for Shibboleth, AD and gov issues PIV cards years ago. The government
agency CA will only add the Microsoft EKU Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
to the authentication certificate where the key resides on the smart card.
This requires trusting this policy of the CA.
(Never tried that with SSH.)

> 
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the openssh-unix-dev mailing list