11

I would like for sshd to verify the users' public key and then prompt for their password, rather than just one or the other. Is this possible?

surprise_
  • 213
  • 1
  • 2
  • 6

4 Answers4

16

This is finally available as of OpenSSH 6.2 (released March 2013), using the AuthenticationMethods configuration option.

For instance, you may add the following line to sshd_config to require both public-key and password authentication:

AuthenticationMethods publickey,password

When logging in, ssh and scp will first perform public-key authentication, and then prompt for a password:

$ ssh user@example.org
Authenticated with partial success.
user@example.org's password:

If you have a password on your private key file, you will of course first be prompted for that. Example using PuTTY:

Using username "user".
Authenticating with public key "rsa-key-20131221-user"
Passphrase for key "rsa-key-20131221-user":
Further authentication required
user@example.org's password:
Søren Løvborg
  • 562
  • 4
  • 10
2

Not presently. But there are some patches floating around that are supposed to add this.

See https://bugzilla.mindrot.org/show_bug.cgi?id=983

Bill B
  • 591
  • 2
  • 4
1

OpenSSH in RHEL/CentOS 6.3 now supports this feature, although I can't find it mentioned in the OpenSSH release notes. From the RHEL release notes:

SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful log in. For example:

   ~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config

For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page.

Community
  • 1
mgorven
  • 30,615
  • 7
  • 79
  • 122
0

It is possible but in a kludgish and limited sort of way. First you only allow public key authentication. Then in /etc/ssh/sshd_config add a ForceCommand that executes a script that will check the password.

The script will break SFTP unless you check that the command is sftp and allow it through without a password.

I've never tried this so somebody may be able to see more issues.

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47