"Semi-Trusted" SSH-Keys that also require PAM login

Jan Bergner jan.bergner at indurad.com
Fri Oct 23 19:32:31 AEDT 2020 

Hello Damien, Brian and all,

thanks for the suggestions. I actually had not considered host-based 
authentication and looked it up.
As I understand from my first quick reading, I would need to specify the 
clients which are allowed to use host-based auth on the server with a 
DNS name or an IP, which would not work for a client behind a CG NAT or 
in a cellular network.
Or did I get this wrong?

So, this is also an answer to Brian. Right now, I cannot simply use IPs.
(However, it would not be out of reach to simply put all clients on a 
private VPN. But I would consider that more of a work-around to the 
original problem.)

Thanks and best,
Jan

Am 22.10.20 um 01:31 schrieb Damien Miller:
> On Wed, 21 Oct 2020, Jan Bergner wrote:
> 
>>
>> Hello all,
>>
>> in order to connect to my SSH servers from untrusted devices like company computers or my smartphone, I set up 2FA with
>> google-authenticator hooked into PAM.
>>
>> However, this is not really 2FA at least for the smartphone, since I use the same device for generating the TANs and it
>> is also at least inconvenient to always require a new TAN for each connection. I do not want to solely rely on SSH keys
>> on these devices since - as I pointed out - I do not really trust them.
>>
>> So, my idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course,
>> I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use
>> something like
>>
>> AuthenticationMethods publickey,password
> 
> Since the main difference here is how much you trust the originating host,
> you might want to consider setting up host-based authentication for those
> hosts and using a config like:
> 
> AuthenticationMethods publickey,password publickey,hostbased
> 
> This would allow users to log in with (public key AND password) OR
> (public key and host-based).
> 
> -d
> 

-- 
*Jan Bergner, M.Sc. *
Senior IT Administrator

*indurad GmbH*
*The Industrial Radar Company*

Belvedereallee 5
52070 Aachen, Germany
Office: + 49 241 538070-61
Front Desk: + 49 241 538070-0
Fax: + 49 241 538070-99

jan.bergner at indurad.com
www.indurad.com <http://www.indurad.com/>

More information about the openssh-unix-dev mailing list