openssh unix dev - Jun 2002 - Require multiple methods of authentication.. status...

All,

	Forgive me if this is has been covered.  I didn't find what I was looking 
for in the man pages or on the list archives.

	What is the status of being able to require a user to perform multiple 
methods of authentication.

	I.E.
	   BOTH kerberos and pubkey
		-or-
	   BOTH kerb V and smartcard
		-etc. etc. etc.-

	I saw an entry on the archive from Markus and Tom in Arpil 2001 that said 
there may be a patch to do this, but I can't seem to locate a directive to 
set this up.

	Can anyone give me a pointer/patch?




Sincere Thanks,




Joshua JOhnson

--On Monday, June 24, 2002 10:41 AM -0500 Joshua Johnson 
<joshua.johnson at ftlsys.com> wrote:
> 	What is the status of being able to require a user to perform multiple
> methods of authentication.
I developed a patch a while ago to do this. It was rejected, because the 
functionality it provided included specifying the order of the 
authentication methods, and was deemed "too complicated". I was told
that a
patch that was order insensitive, and could therefore be reduced to a 
bitfield, would be acceptable. But that was not enough for my requirement 
(force pubkey before password), so I never did it.

Recently, someone has taken my old patch and ported it to a recent release. 
See the list archives for details. I haven't looked at it at all, so caveat 
emptor.

There is also a patch that integrates the keynote policy language. I 
haven't looked at it, as I changed employers and no longer require any of 
this (and my free time has been reduced ;-).

-- 
Carson