Security of ssh across a LAN, public key versus password
Stuart Henderson
stu at spacehopper.org
Tue Oct 22 08:40:37 AEDT 2024
On 2024/10/21 12:02, David Lang via openssh-unix-dev wrote:
> A cert is a single factor, so is a password. Cert authentication
> is only two factor if you trust that the password is not stored
> along with the cert (which is on the untrusted client)
You can tell sshd to require *both* password and public key.
> This is why I push for challenge/response tokens, not simply
> cert authentication, and really wish that FIDO (such as yubikey)
> was an option, but the discussions I've seen about suporting
> that have not been encouraging.
hmm? That works pretty well in OpenSSH.
More information about the openssh-unix-dev
mailing list