On Mon, Aug 04, 2025 at 10:58:10AM +0300, Alexander Bokovoy
wrote:> On ???, 03 ??? 2025, Eduardo Suarez-Santana via openssh-unix-dev wrote:
> > Hi,
> >
> > this is just an idea.
> >
> > I've observed that password authentication typically passes
through the
> > server-side PAM authentication modules. This may be useful for
instance to
> > unlock an encrypted home directory using the user's password.
> >
> > On the other side, public key authentication may be run passwordless
from the
> > client, which is also a great feature, but it does not allow to unlock
the home
> > directory.
> >
> > I wonder whether an hybrid authentication method could be implemented,
where
> > the password of the user is stored along with the authorized public
key in the
> > server, but instead of storing it in plain text, it would be stored
encrypted
> > with the public key.
>
> This already can be achieved by specifying multiple values in
> AuthenticationMethods option. The documentation even provides this
> example:
>
> For example, "publickey,password
publickey,keyboard-interactive"
> would require the user to complete public key authentication, followed
> by either password or keyboard interactive authentication.
Please correct me if I'm wrong, but as far as I understand, that way the
user
would have to enter the password anyway after the public key authentication,
which is not what I meant.
What I was thinking is that the user could for instance use only the ssh agent
to log in for passwordless access. However the server would still receive the
password and process the auth PAM modules. I believe that this could even work
when using PKCS#11.
-Eduardo