openssh unix dev - Sep 2008 - Authentication w/ key + password

I have read archives about two-factor authentication on this list and
it is interesting and can open up a can of worms. I don't intend on
opening a can of worms or spur debate.

As far as I can tell, authentication to openssh can be performed by
signing a connection request with a private client key & having the
server decrypt the key with the public key.
The other way to authenticate (of which I am interested in) is to use
a password which is verified through PAM, etc.
In both instances communication from the server is signed with the
server's private key to ensure authenticity of the server.

As far as I can tell, there is no way to authenticate with both
mechanism. (client key + password)

I have looked at the source and have some ideas, but if I could get
steered in the right direction of how to change openssh to allow both
authentication methods, I would appreciate that.


As a side note, my ideal authentication method for authenticating the
client is as follows:
public key authentication
password defined by password rules with required change intervals
One-time-password / pseudo random password
(combining static passwords with OTP / pseudo random passwords would
be more appropriate for a RADIUS (maybe PAM) implementation)


Again I don't want to cause controversy. I understand there are
differences between smartcards, OTP, pseudo random number generators,
encryption keys. There are security measures, conveniences, etc.
needed to consider for all of these methods. I just want to modify
openssh to fit my needs. Any help would be appreciated.

Thanks,
Jason Wright

If your home dir is on local disk or (standard) nfs (without access 
control enforcement like in AFS NFS4 e.g) the ssh login with an ssh-key 
enabled in your .ssh/authorized_keys should work. Alternative password 
authentication is best be done via PAM (not /etc/shadow). A quick lookup 
with google yields:
  http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/\
    chap16sec132.html
Regards,
Rainer Laatsch

On Tue, 2 Sep 2008, Jason Wright wrote:
> I have read archives about two-factor authentication on this list and
> it is interesting and can open up a can of worms. I don't intend on
> opening a can of worms or spur debate.
>
> As far as I can tell, authentication to openssh can be performed by
> signing a connection request with a private client key & having the
> server decrypt the key with the public key.
> The other way to authenticate (of which I am interested in) is to use
> a password which is verified through PAM, etc.
> In both instances communication from the server is signed with the
> server's private key to ensure authenticity of the server.
>
> As far as I can tell, there is no way to authenticate with both
> mechanism. (client key + password)
>
> I have looked at the source and have some ideas, but if I could get
> steered in the right direction of how to change openssh to allow both
> authentication methods, I would appreciate that.
>
>
> As a side note, my ideal authentication method for authenticating the
> client is as follows:
> public key authentication
> password defined by password rules with required change intervals
> One-time-password / pseudo random password
> (combining static passwords with OTP / pseudo random passwords would
> be more appropriate for a RADIUS (maybe PAM) implementation)
>
>
> Again I don't want to cause controversy. I understand there are
> differences between smartcards, OTP, pseudo random number generators,
> encryption keys. There are security measures, conveniences, etc.
> needed to consider for all of these methods. I just want to modify
> openssh to fit my needs. Any help would be appreciated.
>
> Thanks,
> Jason Wright
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>