openssh unix dev - Feb 2021 - AuthenticationMethods for ssh certificate

>But I want to have a rule that one of those 2 pubkeys *must* be a
>certificate, so the user uses 1 certificate and 1 normal pubkey
>instead of 2 normal pubkeys.
Ah, I see. I'm not sure about that, perhaps it cannot be done.

What's the reason for doing this? You don't increase security by
imposing more layers of the same factor. Security is increased by imposing
multiple factors, such as requiring a key and restricting logins to only
whitelisted IP addresses. A key and a cert are both basically the same type of
factor (something-you-have).

It's actually 2 factors in our setup, the ssh certificate is created
using MFA (and have a short lifetime), and the pubkey is the users own
private key.

This prevents getting into the system if you have control of the MFA
setup (which is handled by another team) or getting into the system
without MFA :-)

Op wo 3 feb. 2021 om 23:43 schreef asymptosis <asymptosis at
posteo.net>:
>
> >But I want to have a rule that one of those 2 pubkeys *must* be a
> >certificate, so the user uses 1 certificate and 1 normal pubkey
> >instead of 2 normal pubkeys.
>
> Ah, I see. I'm not sure about that, perhaps it cannot be done.
>
> What's the reason for doing this? You don't increase security by
imposing more layers of the same factor. Security is increased by imposing
multiple factors, such as requiring a key and restricting logins to only
whitelisted IP addresses. A key and a cert are both basically the same type of
factor (something-you-have).