Re: Please explain OpenSSH double authentication lack

Nico Kadel-Garcia wrote:
Chuck wrote:
brontolo wrote:
Hi,
I search for a lot of time, but I haven't found any persuasive
reason why OpenSSH doesn't permit to require two authentication
mechanisms (PubKey _and_ passowrd), as Tectia, Van Dyke, etc... do.

It's only another option, but it's seems to be a matter of
philosophy.
Silly question but why would you want to do this? One level of
authentication should be more than enough. Especially if using pubkey
with an encrypted private key. It effectively does the same thing. You
need to have both the passphrase and the key to use it.

Lots of reasons: if users will be SSH-ing in from of-site, they need either
their password or their SSH key or something else. If that is stolen, for
example by keystroke monitoring or by someone stealing their laptop, then
you don't want whoever stole it to have full access with that singly stolen
key.

SSH keys are useful this way, since they *should* be set up to require a
passphrase, but there's no way for the server to know that anyone actually
did this. Way, way, way too many users simply use passphraseless keys, which
are far too easy to steal. (If your local network supports NFS, I urge you
to take a look in home directories for all the passphraseless keys: it's
always embarassing!) So enforcing another authentication method, such as
S/Key, can be very helpful.



Understood.

You should be able to enforce the use of encrypted private keys through
policy management. Even just something that scans the HD when they
connect to your network for id_[rd]sa files and looks for the string
ENCRYPTED.
.

Relevant Pages

  • Re: Please explain OpenSSH double authentication lack
    ... reason why OpenSSH doesn't permit to require two authentication ... mechanisms (PubKey _and_ passowrd), as Tectia, Van Dyke, etc... ... authentication should be more than enough. ... to take a look in home directories for all the passphraseless keys: ...
    (comp.security.ssh)
  • Re: [SLE] Problems with sshd and pub keys
    ... What i get related to pubkey is this: ... 27864: debug1: authentications that can continue: publickey,password ... server. ... authentication can set up via local login passwords, ...
    (SuSE)
  • Re: WDS Authentication reason code 18
    ... copy them to this news group and someone will take a look. ... > Computer: HIUSSOFPS01 ... > Reason = The specified authentication type is not supported on this ... then I get a reason code 66 error. ...
    (microsoft.public.internet.radius)
  • Re: [SLE] Problems with sshd and pub keys
    ... server. ... authentication can set up via local login passwords, ... depend on what OS the client uses as to the the samba share setup. ... You are using protocol version 1, rsa based pubkey ...
    (SuSE)
  • Re: [opensuse] Problem getting ssh to use PublicKeyAuthentication :-(
    ... no reason to upgrade at the moment). ... password authentication to get it to use pubkey authentication. ... same experience setting up 3 different 10.3 systems. ... I know that with the above options set my system accepts pubkey ...
    (SuSE)