Feature - Password over Pubkey auth
Eduardo Suarez-Santana
eduardo at itccanarias.org
Sun Aug 3 19:54:05 AEST 2025
Hi,
this is just an idea.
I've observed that password authentication typically passes through the
server-side PAM authentication modules. This may be useful for instance to
unlock an encrypted home directory using the user's password.
On the other side, public key authentication may be run passwordless from the
client, which is also a great feature, but it does not allow to unlock the home
directory.
I wonder whether an hybrid authentication method could be implemented, where
the password of the user is stored along with the authorized public key in the
server, but instead of storing it in plain text, it would be stored encrypted
with the public key.
So that, I'm proposing a new authentication method that would send the
encrypted password to the client, so the client could decrypt it with the
private key, and then send it back to the server.
Finally, the server would use the decrypted password to authenticate the user
against the PAM modules.
This way, the user would be able to unlock the home directory, and at the same
time, the public key authentication would be passwordless.
I'd love to hear your thoughts about this idea.
-Eduardo
More information about the openssh-unix-dev
mailing list