Thank you Robert, you explained it better than I did. This feature can be
used as a poor man 2-factor authentication and might be quite helpful to
better secure the networks. I'm just not sure how to get it into OpenSSH. Do
you know by any chance how I can get attention of any of the OpenSSH
development team to try to convince them to get this feature in ?


-----Original Message-----
From: Robert Hajime Lanning []
Sent: Tuesday, June 06, 2006 2:23 PM
Subject: Re: Using RSA key _and_ password

He is trying to get OpenSSH to enforce two factor authentication
from the server end.

1) Something you have (Private Key)
o Provided by the key challenge that has been described.
2) Something you know (Password)
o Asked for via the password authentication feature.

The issue is having the server require both authentication methods.
Not just one.

Now the private key could be encrypted with a passphrase to get the
two factor, but this is not enforcable at the server. There is nothing
that the server can do to enforce that the private key (which the server
never sees) is always encrypted with a non-null passphrase.

On 6/5/06, Sven Édouard wrote:
> Hi Alex,
> OpenSSH should be able to do this. From the man pages:
> "As a second authentication method, ssh supports RSA based
> authentication.
> The scheme is based on public-key cryptography: there are
> cryptosystems
> where encryption and decryption are done using separate keys, and
> it is
> not possible to derive the decryption key from the encryption key.
> is one such system. The idea is that each user creates a
> public/private
> key pair for authentication purposes. The server knows the public
> key,
> and only the user knows the private key.
> The file $HOME/.ssh/authorized_keys lists the public keys that are
> per‐
> mitted for logging in. When the user logs in, the ssh program
> tells the
> server which key pair it would like to use for authentication. The
> server checks if this key is permitted, and if so, sends the user
> (actu‐
> ally the ssh program running on behalf of the user) a challenge, a
> random
> number, encrypted by the user's public key. The challenge can only
> be
> decrypted using the proper private key. The user's client then
> decrypts
> the challenge using the private key, proving that he/she knows the
> pri‐
> vate key but without disclosing it to the server."
> If you can't solve your problems, post the specific problem you are
> encountering.
> Sven
> On Fri, 2 Jun 2006 16:14:56 -0400, "Alex Perematko"
> said:
> > Hi,
> >
> > I'd appreciate if somebody could suggest me how to configure OpenSSH to
> > require RSA key _and_ password to authenticate a user.
> > This feature exist in SSH.COM ssh, but I was unable to configure it in
> > OpenSSH.
> > If this can not be done at the moment, does anybody know what it takes
> > convince ($$ or otherwise) OpenSSH development team to add this feature

> >
> > Alex
> >

> --
> Sven Édouard
> --
> - A fast, anti-spam email service.

And, did Guloka think the Ulus were too ugly to save?