Why not just use Yubikeys ? SSH keys (at least the RSA type, the SSH's developers failure to adopt other supported key types after many years is something of an un-necessary frustration to the greater SSH community). So issue your users with Yubikeys. You can enforce the Yubikey so it requires the user to enter a PIN *and* touch the Yubikey. This means there's an incredibly high degree of confidence that it was the user who performed the actiion (i.e. two-factor authentication of physical Yubikey and PIN, plus anti-keylogger because of the mandatory touching of the Yubikey). You can use Yubikeys with ssh-add too, if you want. Or you can just use it for ad-hoc individual logins. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev