I have an Internet facing server that I need to allow shared (non-administrative) access to. I want to allow access only if the users key is in an authorized_keys file, but I don't trust some of these guys not to get their keys stolen, and I know some of them don't secure their private keys with a passphrase, despite me asking them to.
Basically, what I want is to have sshd require both ChallengeResponseAuthentication AND PubKeyAuthentication so that they always have to type a password as well as having an authorized keypair.
Everything I've read makes me think this isn't something open sshd will let me do: I tell it what auth methods are OK, and it tries them in a certain (inbuilt) order of preference until one of them works and then the user is allowed in.
Am I going to have to look for a different sshd or download and hack the code myself, or am I missing something?