Hi, probably an ignorant question, maybe I'm missing something ... Is there a way for a sshd server to be able to enforce both client host key authentication as well as user authentication, say for roving user-administered laptops. So a sysadmin can restrict access to allow only client hosts which can pass the HostbasedAuthentication tests, whatever the current IP name/address, but still insist on the user authenticating themselves (by password say). Is this possible? I see there's a SSH2 configuration of RequiredAuthentications which might allow the sysadmin to specify two authentications required, but it's not in openssh is it, and maybe it doesn't do what I want anyway? Thanks in advance, Lawrence. -- Tel: 0121 414 4621 Fax: 0121 414 6709 Email: L.S.Lowe at bham.ac.uk
L.T.Lowe at hep.ph.bham.ac.uk wrote:> Is there a way for a sshd server to be able to enforce both > client host key authentication as well as user authentication, > say for roving user-administered laptops. > So a sysadmin can restrict access to allow only client hosts > which can pass the HostbasedAuthentication tests, > whatever the current IP name/address, but still insist on the user > authenticating themselves (by password say). Is this possible?I turn off password authentification and enforce use of rsa keys. The sshd config option is: PasswordAuthentication no This is slightly different than you propose but I think has a higher utility. I can switch laptops as long as I am using the same user key. Bob
L.T.Lowe at hep.ph.bham.ac.uk wrote:> Hi, probably an ignorant question, maybe I'm missing something ... > > Is there a way for a sshd server to be able to enforce both > client host key authentication as well as user authentication, > say for roving user-administered laptops. > So a sysadmin can restrict access to allow only client hosts > which can pass the HostbasedAuthentication tests, > whatever the current IP name/address, but still insist on the user > authenticating themselves (by password say). Is this possible?No, but see http://bugzilla.mindrot.org/show_bug.cgi?id=983
--On Wednesday, May 18, 2005 01:20:20 PM +1000 Damien Miller <djm at mindrot.org> wrote:> L.T.Lowe at hep.ph.bham.ac.uk wrote: >> >> Is there a way for a sshd server to be able to enforce both >> client host key authentication as well as user authentication, >> say for roving user-administered laptops. >> So a sysadmin can restrict access to allow only client hosts >> which can pass the HostbasedAuthentication tests, >> whatever the current IP name/address, but still insist on the user >> authenticating themselves (by password say). Is this possible? > > No, but see http://bugzilla.mindrot.org/show_bug.cgi?id=983I also had an old patch that supported ordered auth methods (the patch referenced above requires multiple auth methods in any order). I will again offer to update my patch to the current OpenSSH code if the core maintainers express any interest in integrating the patch. It was previously rejected as "too complicated" (functionality-wise, not code complexity). -- Carson Gaspar