you can't at the moment unless you switch to commercial SSH. OpenSSH lets you require
either pubkey or password, but not both. if you specify both it will just take either
one and let the other slide.
I've been hoping for this feature too (posted about it recently in fact), but don't
know when or whether to expect it. I found the patch, which was submitted to
openssh-unix-dev in march, but haven't tried it out yet.
also see below for dkf's response to my inquiry...
radish
p.s. thanks, dkf. a pubkey PAM module sounds pretty useful actually. maybe
someday... ;-)
On 8/15/01 at 15:14, [EMAIL PROTECTED] (Tony A. Tran) wrote:
> i'm trying to make OpenSSH require Public Key User
> Authentication along with the password authentication.
> i've tried teh keywords DSAAuthenticaion and
> PubKeyAuthenticiaon, but it still succeeds when password
> succeeds but pubkey fails. how can i make it require both?
On 8/2/01 at 0:28, [EMAIL PROTECTED] (David Knight French) wrote:
> You can do that now if you have PAM support in your OS and
> compile it in. You can then stack authentication. For
> clients that support mulitple password prompts (called PAM
> authentication in some clients), it works great. I use
> this to authenticate against the local password file as
> well as requiring a SecurID token--using a SecurID pam
> module I wrote.
>
> The reason the client has to support PAM authentication,
> is the original ssh v1 clients did the prompting and sent
> the input to the server. For these clients, when you see
> [EMAIL PROTECTED]'s password: it is the client
> printing the prompt and reading the input, not the server.
>
> The clients in the latest OpenSSH now support this when
> the server has PAM and wants to send prompts and request
> input. If I remember properly, for ssh.com v2.x clients,
> you can get this functionality by adding pam to the list
> of allowed authentication protocols in the ssh_config
> file. You will have to look at the documentation for the
> actual name to use. I don't think it is simply pam. Many
> of the latest windows clients also allow remote prompting.
>
> If you do request multiple authentications that require
> prompts, be aware that older clients will fail since they
> don't understand receiving prompts from the server.
>
> Hope this helps.
>
> --Dave
>
> PS. Of course this doesn't allow you to do pubkey +
> passwd as listed in the Suject. To get that using what I
> described, you would have to hack the code or devise a
> pubkey PAM module.
>
> --
> David Knight French
> Black Mountain Computer Consulting
> Voice: (858)573-2959
> Email: [EMAIL PROTECTED]
