ssh server configuration - Are public key and password exclusive?

[William Muriithi]

>
> Well, if I use a key that has a password attached, then the local
> agent checks the password before allowing access to the key for the
> purposes of using the key to access a remote system.  However there is
> not a way for the sshd server to determine whether or not the password
> on that key was null, and the validation takes place on the local
> host, it's not done by sshd.
No that is not what I wanted.  That is a client solution and does not
scale or can not be enforced

>
> It sounds as though what you're asking for is instead for sshd to
> require multiple forms of authentication.
Yeap, that correct, should have used that phrase now that I think of it
> It's not a built-in thing:
> http://marc.info/?l=secure-shell&m=114954496014532&w=2
>
Hmm, now that is the answer to my question.  Hmm, I guess I will go
with Google authenticator as Jason mentioned.
> Another thought would be to hack with the resulting shell to require a
> password check after logging in via the public key.
Agree Neil, I do not see why openssh decided not to support password
and PKI.  They would just have needed one configuration flag and a bit
of code refactoring.

Wonder if there is any public discussion out there on how they arrived
on this decision?  May be there is security implication behind it,
since openssh developers are security guys.

Anyway, again, thanks for the feedback

William
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists