[ale] OpenSSH RequiredAuthentications2 publickey,password

JD jdp at algoloma.com
Sat Dec 29 10:30:33 EST 2012


Anyone using the "Match" config setting in their sshd_config files to specify
other keywords like AllowTcpForwarding, ChrootDirectory, ForceCommand,
KerberosAuthentication?

Every time I re-read the sshd_config man page, some new tidbit gets illuminated.

On 12/29/2012 09:56 AM, Jim Kinney wrote:
> On Sat, Dec 29, 2012 at 2:21 AM, David Tomaschik
> <david at systemoverlord.com> wrote:
>> On Fri, Dec 28, 2012 at 4:11 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>>
>>> In days past I looked a generating a script that runs ssh-add on user
>>> keys. Any keys that add to ssh-agent without password request will get
>>> edited to include a '!' as the first character of the key. An email is
>>> generated that informs the (l)user of the security requirements and
>>> what was changed. Second offense deletes the key.
>>
>>
>> While that sounds great, it assumes you have control over the client
>> machine.  That's not a valid assumption in a lot of cases.
> 
> True. As the remote end was under my control, I could require
> connections from known users in a controlled environment.
> 
> Maybe the ssh connection protocol needs a flag on key use that
> indicates whether the key uses a secondary auth method, password, CAC
> card, etc.


More information about the Ale mailing list