[ale] OpenSSH RequiredAuthentications2 publickey,password

David Tomaschik david at systemoverlord.com
Fri Dec 28 13:17:04 EST 2012


Some googling around the option name (RequiredAuthentications2) suggests
that it is only in RH's patched version of OpenSSH, however a patch based
on that should be included in OpenSSH 6.2.  I look forward to that -- SSH
keys are NOT 2-factor, despite what many people may say.  There's no way to
force someone to have an encrypted key, so the passphrase is not a 2nd
factor.  I'd like to see SSH key + pw become the standard.


On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <cluon at geeklabs.com> wrote:

> David:
>
>> I'm not aware of any way to configure OpenSSH to ask for multiple
>> authentication factors.  You can fudge it with PAM (password + otp, for
>> example) but not with anything involving public
>> keys.  (Unless something has changed since I looked ~1 year ago at my
>> last job.)
>>
>
> Good disclaimer, :)  Best example I found is listed below,
> and while it's new to OpenSSH, it's been around in other versions (ssh.com)
> Look like two factor auth has been added to OpenSSH in certain versions.
>  It does not work on my Bodhi Linux system. (OpenSSH_5.9p1 Debian-5ubuntu1)
>
> It also does not show up in the official docs:
> http://www.openbsd.org/cgi-**bin/man.cgi?query=sshd_config&**sektion=5<http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5>
>
> I've got a Redhat system I can test in the office... and will do when I
> can....
>
>
> ------------------------------**-------------------------
>
> https://bugzilla.redhat.com/**show_bug.cgi?id=657378<https://bugzilla.redhat.com/show_bug.cgi?id=657378>
>
> Fixed In Version:       openssh-5.3p1-80.el6
> Doc Type:       Enhancement
> Doc Text:
> Multiple required methods of authentications for sshd SSH can now be set
> up to require multiple ways of authentication (whereas previously SSH
> allowed multiple ways of authentication of which only one was required for
> a successful login); for example, logging in to an SSH-enabled machine
> requires both a passphrase and a public key to be entered. The
> RequiredAuthentications1 and RequiredAuthentications2 options can be
> configured in the /etc/ssh/sshd_config file to specify authentications that
> are required for a successful log in. For example: ~]# echo
> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For
> more information on the aforementioned /etc/ssh/sshd_config options, refer
> to the sshd_config man page.
>
>
>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/a2922906/attachment-0001.html>


More information about the Ale mailing list