2

I want to configure sshd to require that a connection authenticate with both a key and a password.

I haven't looked at using PAM or other external authentication methods yet, but my guess at the moment (based on sshd_config(5) is that this is not possible. Prove me wrong. Please?

3 Answers3

5

If you are using openssh, I don't believe you can do this. There are other SSH2 daemons out there which allow extended SSH2 directives giving you a directive called "RequiredAuthentications" and "AllowedAuthentications"; both of which are comma separated lists. You can see a nifty chart of compatibility at:

http://hell.org.ua/Docs/oreilly/tcpip2/ssh/ch05_05.htm

If this is a requirement you have, you should change out your ssh daemon. The config would then be:

AllowedAuthentications password,publickey
RequiredAuthentications password,publickey

Cheers

Michael
  • 303
  • 1
  • 10
  • Keep in mind that doing it this way will require you to initiate the initial allowed public key, either by them providing their public key to you or you providing them with the private key. – Michael Nov 17 '09 at 08:00
  • OpenSSH does follow the SSH2 standard too, it simply doesn't implement "RequiredAuthentications". – user1686 Nov 17 '09 at 09:57
  • @grawity - You're correct. I have edited my answer to spread less FUD, thanks. :) – Michael Nov 17 '09 at 10:28
  • Also see [this answer over at serverfault.com](http://serverfault.com/a/409758/64875). It looks like RHEL have patched openssh with similar functionality. – Robie Basak Jan 18 '13 at 19:16
1

If you create an certificate with a pass phrase on it, then it will require you to enter that pass phrase when you log in with certificate authentication.

Zypher
  • 36,995
  • 5
  • 52
  • 95
  • 1
    However that is not actually a "key + password" setup for the SSH server, it is just a "key" setup. The CLIENT is requesting a pass-phrase in order to access the private key when connecting to the SSH server. – Ryan Fisher Nov 17 '09 at 04:24
  • Unfortunately this won't work because the passfrase can be trivially removed eg. ssh-keygen -P "old pass frase" -N "new pass frase" -f ssh-key-file – pyhimys Nov 17 '09 at 09:57
  • Thanks, but I only care about the server side. Key pass phrases have nothing to do with authentication, they just protect the key. –  Nov 18 '09 at 08:27
  • The command to do what Zypher mentioned above is "ssh-keygen". Here is the synopsis for the parts you would need: ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile] – jemmille Nov 17 '09 at 03:52
0

http://novosial.org/openssh/publickey-auth/

Pay particular attention to 'Key Generation' for generating a key with a passphrase, and to 'Key Distribution' for enabling login to a given server with that passphrase-protected key

user1204270
  • 183
  • 1
  • 7
justinsteven
  • 506
  • 2
  • 6