<div dir="ltr">Some googling around the option name (RequiredAuthentications2) suggests that it is only in RH's patched version of OpenSSH, however a patch based on that should be included in OpenSSH 6.2. I look forward to that -- SSH keys are NOT 2-factor, despite what many people may say. There's no way to force someone to have an encrypted key, so the passphrase is not a 2nd factor. I'd like to see SSH key + pw become the standard.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <span dir="ltr"><<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">David:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm not aware of any way to configure OpenSSH to ask for multiple authentication factors. You can fudge it with PAM (password + otp, for example) but not with anything involving public<br>
keys. (Unless something has changed since I looked ~1 year ago at my last job.)<br>
</blockquote>
<br>
Good disclaimer, :) Best example I found is listed below,<br>
and while it's new to OpenSSH, it's been around in other versions (<a href="http://ssh.com" target="_blank">ssh.com</a>) Look like two factor auth has been added to OpenSSH in certain versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1 Debian-5ubuntu1)<br>
<br>
It also does not show up in the official docs:<br>
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5" target="_blank">http://www.openbsd.org/cgi-<u></u>bin/man.cgi?query=sshd_config&<u></u>sektion=5</a><br>
<br>
I've got a Redhat system I can test in the office... and will do when I can....<br>
<br>
<br>
------------------------------<u></u>-------------------------<br>
<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=657378" target="_blank">https://bugzilla.redhat.com/<u></u>show_bug.cgi?id=657378</a><br>
<br>
Fixed In Version: openssh-5.3p1-80.el6<br>
Doc Type: Enhancement<br>
Doc Text:<br>
Multiple required methods of authentications for sshd SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful log in. For example: ~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page.<br>
<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div>