Feature - Password over Pubkey auth
Brian Candler
b.candler at pobox.com
Mon Aug 4 18:10:17 AEST 2025
On 03/08/2025 10:54, Eduardo Suarez-Santana via openssh-unix-dev wrote:
> I wonder whether an hybrid authentication method could be implemented, where
> the password of the user is stored along with the authorized public key in the
> server, but instead of storing it in plain text, it would be stored encrypted
> with the public key.
>
> So that, I'm proposing a new authentication method that would send the
> encrypted password to the client, so the client could decrypt it with the
> private key, and then send it back to the server.
>
> Finally, the server would use the decrypted password to authenticate the user
> against the PAM modules.
>
> This way, the user would be able to unlock the home directory, and at the same
> time, the public key authentication would be passwordless.
The nearest existing mechanism I can think of is SSH agent forwarding.
Unfortunately, AFAIK the SSH agent protocol only has a "sign" operation,
not a "decrypt" operation. But it is extensible.
An example of how a PAM module can interact with SSH agent:
https://github.com/uber/pam-ussh
More information about the openssh-unix-dev
mailing list