Feature - Password over Pubkey auth
Eduardo Suarez-Santana
eduardo at itccanarias.org
Mon Aug 4 18:19:44 AEST 2025
On Mon, Aug 04, 2025 at 10:58:10AM +0300, Alexander Bokovoy wrote:
> On Няд, 03 жні 2025, Eduardo Suarez-Santana via openssh-unix-dev wrote:
> > Hi,
> >
> > this is just an idea.
> >
> > I've observed that password authentication typically passes through the
> > server-side PAM authentication modules. This may be useful for instance to
> > unlock an encrypted home directory using the user's password.
> >
> > On the other side, public key authentication may be run passwordless from the
> > client, which is also a great feature, but it does not allow to unlock the home
> > directory.
> >
> > I wonder whether an hybrid authentication method could be implemented, where
> > the password of the user is stored along with the authorized public key in the
> > server, but instead of storing it in plain text, it would be stored encrypted
> > with the public key.
>
> This already can be achieved by specifying multiple values in
> AuthenticationMethods option. The documentation even provides this
> example:
>
> For example, "publickey,password publickey,keyboard-interactive"
> would require the user to complete public key authentication, followed
> by either password or keyboard interactive authentication.
Please correct me if I'm wrong, but as far as I understand, that way the user
would have to enter the password anyway after the public key authentication,
which is not what I meant.
What I was thinking is that the user could for instance use only the ssh agent
to log in for passwordless access. However the server would still receive the
password and process the auth PAM modules. I believe that this could even work
when using PKCS#11.
-Eduardo
More information about the openssh-unix-dev
mailing list