ssh server configuration - Are public key and password exclusive?

[Christopher Browne]

On Fri, Jan 13, 2012 at 12:10 PM, William Muriithi
<william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Afternoon pal
>
> I am interested in configuring sshd to use both PKI and password and
> this do not seem possible from what I can tell by a bit of googling?
> Is this correct?  Have someone here ever managed to achieve that?

Well, if I use a key that has a password attached, then the local
agent checks the password before allowing access to the key for the
purposes of using the key to access a remote system.  However there is
not a way for the sshd server to determine whether or not the password
on that key was null, and the validation takes place on the local
host, it's not done by sshd.

It sounds as though what you're asking for is instead for sshd to
require multiple forms of authentication.

It's not a built-in thing:
http://marc.info/?l=secure-shell&m=114954496014532&w=2

Another thought would be to hack with the resulting shell to require a
password check after logging in via the public key.

The following describes the use of an "sshgatekeeper" script to do a
post-connection password check.
https://calomel.org/openssh.html

But that feels pretty kludgey and fragile to me.

My inclination would be, in an environment where this sort of thing is
required, to have a step that requires submission of *both* the public
and private ssh key, which then refuses to install the public key in
~/.ssh/authorized_keys if the private key uses a null key.  That takes
us back to the initial scenario I described above, with the guarantee
that there is a password on the private key.
-- 
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists