Security of ssh across a LAN, public key versus password

Stuart Henderson stu at spacehopper.org
Tue Oct 22 08:40:37 AEDT 2024


On 2024/10/21 12:02, David Lang via openssh-unix-dev wrote:
> A cert is a single factor, so is a password. Cert authentication
> is only two factor if you trust that the password is not stored
> along with the cert (which is on the untrusted client)

You can tell sshd to require *both* password and public key.

> This is why I push for challenge/response tokens, not simply
> cert authentication, and really wish that FIDO (such as yubikey)
> was an option, but the discussions I've seen about suporting
> that have not been encouraging.

hmm? That works pretty well in OpenSSH.



More information about the openssh-unix-dev mailing list