[EXTERNAL] Re: Feature - Password over Pubkey auth
Sands, Daniel N.
dnsands at sandia.gov
Tue Aug 5 03:50:20 AEST 2025
>
> I'm wondering whether there actually is a use case for (or, much
> resource savings to be obtained by) SSH logins that do *not* make
> $HOME
> available.
>
> Because if
> -- there are none,
> -- you *want* people to do *keypair* auth to log into the server, and
> -- sshd defers the password auth to PAM (as you said it does, above),
> I would expect that setting "AuthenticationMethods
> publickey,password"
> already does everything that's really required from the *server*
> side.
>
There is already a similar use case: OTPs. You log into an account
with your OTP generator device, and at least on Gnome-based Linux you
are then greeted with a prompt to unlock your keychain (which is
protected with a password).
It's probably time to start thinking about solutions that no longer
depend on a static password as the linch pin.
More information about the openssh-unix-dev
mailing list