Possible to use both private key and password authentication for ssh login?

  • It seems that they are mutually exclusive, as disabling one gives me the other, and vice versa. Two-factor auth for my ssh servers sounds really nice, so is there any way to accomplish this?

    Are you are not wanting to count passphrased ssh keys?

    Oh, right. I should have specified that. No, that doesn't count. I'd like the server to have to be authenticated against twice, not the client :-)

    @ChrisBlake - why? What problem are you trying to solve? Can you be more specific? What's your threat model? What risk are you trying to defend against?

    @D.W. Threat model for requiring this: working with people you don't trust to take security as seriously as you do. You want to make it impossible for someone to compromise your server if their laptop, with a carelessly unencrypted ssh key, is stolen.

    @JaneDoe, if that's the problem, then this might be better solved through policy rather than a technical mechanism. Requiring a password on every login has major disadvantages, and it sounds counterproductive to me. I think it's better to just set an organizational policy requiring all your sysadmins to encrypt their private key with a passphrase. (If you don't trust your sysadmins to follow this policy, why are you letting them administer your systems?)

  • mricon

    mricon Correct answer

    8 years ago

    With recent Fedora and RHEL 6 releases, you can use RequiredAuthentications2 pubkey,password to require both pubkey and password authentication. Usually this is done to require pubkey and 2-factor authentication token, not the user's password.

    Update: Now on RHEL / CentOS 7, and any system with a recent version of OpenSSH, you can use:

    AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

    It's also possible to use the Match directive to exclude IPs or Users.

    With these new releases, this is the new (and easiest) correct answer.

    See @Jakuje answer here for more recent Linux distro key+password SSH setup. The name of config parameter has changed.

    Would have been more sensible to mention the OpenSSH version instead of some vague range of _major_ distro version.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM