On Wed, Mar 27, 2019 at 2:31 AM Ted Unangst <t...@tedunangst.com> wrote:
> Boris Epstein wrote: > > Thanks. It makes sense to be able to select login methods under some > > circumstances - but do I have an option of forcing the user to log in > using > > a predetermined set of methods (for instance, password and then a secure > > key, or password and Yubkey, or password and SSL key)? > > If you want to require two methods, you have to specify a combined method, > with an appropriate utility in /usr/libexec/auth. This is tricky because > the > API only allows for one challenge/response, not a series of them. (Unless > I'm > mistaken.) > It is interesting because some people mention combined methods - like SSL hostkey + some second factor being used just in that fashion: https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html But based on my experience thus far it looks like Ted is right. So I may have to write a utility for combined login. What should that utility do - call the two methods in question and return true or false depending on whether they succeed? Thanks for all the help. Boris.