How can I make SSH with an identity file always demand a password?

Douglas E Engert deengert at
Wed Aug 25 22:02:40 AEST 2021

On 8/24/2021 6:26 PM, Damien Miller wrote:
> On Tue, 24 Aug 2021, Jochen Bern wrote:
>> On 23.08.21 12:18, Stuart Henderson wrote:
>>> Other replies have looked at this from the client side and agent caching,
>>> but you can also require on the server that a password *as well as* a
>>> public key is offered. That also guards against users who did not use
>>> a password/passphrase to protect their key.
>> Or [ fail to use | use a reimplementation that lacks ] the "-c" and "-t"
>> options of ssh-add.
>> However, I seem to remember that at some point (one or two years ago?),
>> there was an announcement that in future versions of OpenSSH, the server
>> side may get *told* whether the auth was done with or without *human*
>> interaction on the client side (i.e., when talking about user keypair
>> auth, passphrase entered vs. straight out of some agent) and could
>> reject a non-interactive attempt, which would satisfy the OP's need. Any
>> news of that, or am I misremembering?
> Someone might have asked, but I would have replied that it would not
> be reliable as the client could simply lie about whether the attempt
> was interactive or not, thereby making it an unreliable signal at the
> server.
> Since then, FIDO keys have come along. The user-presence/user-verified
> bits are probably the closest you can come to this. We fully support
> these, but there are caveats - the biggest of which is that you have
> to implement your own key attestation flow to ensure the keys that
> you're trusting at the server are actually resident on hardware.

One way to do this is with certificate extensions.
I did that for Shibboleth, AD and gov issues PIV cards years ago. The government
agency CA will only add the Microsoft EKU Smart Card Logon (
to the authentication certificate where the key resides on the smart card.
This requires trusting this policy of the CA.
(Never tried that with SSH.)

> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>

More information about the openssh-unix-dev mailing list