Authentication w/ key + password - openssh

This is a discussion on Authentication w/ key + password - openssh ; I have read archives about two-factor authentication on this list and it is interesting and can open up a can of worms. I don't intend on opening a can of worms or spur debate. As far as I can tell, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Authentication w/ key + password

  1. Authentication w/ key + password

    I have read archives about two-factor authentication on this list and
    it is interesting and can open up a can of worms. I don't intend on
    opening a can of worms or spur debate.

    As far as I can tell, authentication to openssh can be performed by
    signing a connection request with a private client key & having the
    server decrypt the key with the public key.
    The other way to authenticate (of which I am interested in) is to use
    a password which is verified through PAM, etc.
    In both instances communication from the server is signed with the
    server's private key to ensure authenticity of the server.

    As far as I can tell, there is no way to authenticate with both
    mechanism. (client key + password)

    I have looked at the source and have some ideas, but if I could get
    steered in the right direction of how to change openssh to allow both
    authentication methods, I would appreciate that.


    As a side note, my ideal authentication method for authenticating the
    client is as follows:
    public key authentication
    password defined by password rules with required change intervals
    One-time-password / pseudo random password
    (combining static passwords with OTP / pseudo random passwords would
    be more appropriate for a RADIUS (maybe PAM) implementation)


    Again I don't want to cause controversy. I understand there are
    differences between smartcards, OTP, pseudo random number generators,
    encryption keys. There are security measures, conveniences, etc.
    needed to consider for all of these methods. I just want to modify
    openssh to fit my needs. Any help would be appreciated.

    Thanks,
    Jason Wright
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: Authentication w/ key + password

    If your home dir is on local disk or (standard) nfs (without access
    control enforcement like in AFS NFS4 e.g) the ssh login with an ssh-key
    enabled in your .ssh/authorized_keys should work. Alternative password
    authentication is best be done via PAM (not /etc/shadow). A quick lookup
    with google yields:
    http://tldp.org/LDP/solrhe/Securing-...Edition-v1.3/\
    chap16sec132.html
    Regards,
    Rainer Laatsch

    On Tue, 2 Sep 2008, Jason Wright wrote:

    > I have read archives about two-factor authentication on this list and
    > it is interesting and can open up a can of worms. I don't intend on
    > opening a can of worms or spur debate.
    >
    > As far as I can tell, authentication to openssh can be performed by
    > signing a connection request with a private client key & having the
    > server decrypt the key with the public key.
    > The other way to authenticate (of which I am interested in) is to use
    > a password which is verified through PAM, etc.
    > In both instances communication from the server is signed with the
    > server's private key to ensure authenticity of the server.
    >
    > As far as I can tell, there is no way to authenticate with both
    > mechanism. (client key + password)
    >
    > I have looked at the source and have some ideas, but if I could get
    > steered in the right direction of how to change openssh to allow both
    > authentication methods, I would appreciate that.
    >
    >
    > As a side note, my ideal authentication method for authenticating the
    > client is as follows:
    > public key authentication
    > password defined by password rules with required change intervals
    > One-time-password / pseudo random password
    > (combining static passwords with OTP / pseudo random passwords would
    > be more appropriate for a RADIUS (maybe PAM) implementation)
    >
    >
    > Again I don't want to cause controversy. I understand there are
    > differences between smartcards, OTP, pseudo random number generators,
    > encryption keys. There are security measures, conveniences, etc.
    > needed to consider for all of these methods. I just want to modify
    > openssh to fit my needs. Any help would be appreciated.
    >
    > Thanks,
    > Jason Wright
    > _______________________________________________
    > openssh-unix-dev mailing list
    > openssh-unix-dev@mindrot.org
    > https://lists.mindrot.org/mailman/li...enssh-unix-dev
    >

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  3. Re: Authentication w/ key + password

    Rainer Laatsch wrote:
    > If your home dir is on local disk or (standard) nfs (without access
    > control enforcement like in AFS NFS4 e.g) the ssh login with an ssh-key
    > enabled in your .ssh/authorized_keys should work. Alternative password
    > authentication is best be done via PAM (not /etc/shadow). A quick lookup


    Which has nothing to do with what he wants. He wants to require _both_
    publickey and password auth before access is granted.

    Many moons ago I created a patch to add ordered authentications, but the
    openssh devs didn't like the idea.

    More recently, one of the openssh devs proposed (and I think coded)
    support for unordered multiple authentications. I don't know what the
    status of this is, hopefully one of the devs will chime in. I'm sure
    google can find the thread in one of the list archives.

    --
    Carson
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread