A while back (March) I was sent the below reply, which contained references to
patches to OpenSSH 4.7p1 that require multiple authentication. Are there any
similar patches to 4.8 and/or 5.1? And is there any chance of something
similar making it into the standard OpenSSH distribution? The first of these
patches saved me much grief when dealing with PCI-DSS (Payment Card Industry
Data Security Standards).


Jeff Simmons wrote:
> While doing a bit of research, I've found some historic attempts to require
> multiple authentication in sshd (i.e. both public/private key and
> login/password). Is there any way to get this working in the current ssh
> distribution, specifically in up to date stable OpenBSD?
> Thanks for any assistance, even a no, we don't do that.

https://bugzilla.mindrot.org/show_bug.cgi?id=983 forces you to use both
public key and password authentication.

https://bugzilla.mindrot.org/show_bug.cgi?id=1435 allows you to specify
2 or more methods.

The patches are made against portable 4.7p1 but I imagine should be
relatively easy to adapt to openBSD.

Jeff Simmons jsimmons@goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult