Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source

mailto428496 mailto628496 at cox.net
Sun Jun 7 05:56:27 AEST 2020


Damien,

Thanks, it would be great if this functionality could be added!

I haven't thought about the syntax too much other than my quick proposal 
below.  But assuming the old syntax would be left as is and the new 
multiple source syntax would be optional?  Maybe 'publickey' could be an 
alias for 'publickey[0]' for backward compatibility, and the same thing 
for the accompanying AuthorizedKeys* options that would be referenced?


Jim


On 2020-06-03 19:13, Damien Miller wrote:
> On Wed, 3 Jun 2020, mailto428496 wrote:
>
>> I don't see a way to do this currently (unless I am missing something)
>> but I would like to be able to specify, that in order for a user to
>> login, they need to use at least 1 public key from 2 separate key
>> sources.  Specifically this would be when using "AuthenticationMethods
>> publickey,publickey".  Right now requiring 2 public keys for
>> authentication will allow 2 public keys from any authorized key source
>> specified without distinction.  I would like a way to say, require 1 key
>> from source A and 1 key from source B.
>>
>> Like if there was a way to specify something like this for example:
>>
>> AuthenticationMethods publickey[1],publickey[2]
>>
>> AuthorizedKeysCommand[1] <source_a_command_script>
>>
>> AuthorizedKeysCommand[2] <source_b_command_script>
>>
>> and the same for AuthorizedKeysFile (for our needs multiple commands
>> would be fine, but might as well support it for both)
> There's no way to do this at present. If we can figure out a good
> syntax for expressing it, then we could add it (a few people have
> asked for similar things before).
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list