AFAIK, sshd, by itself, cannot enforce your specific 2FA requirement (one cert + one authorized key). You could potentially leverage AuthorizedKeysCommand. It would probably require maintaining some state (authorized_keys, trusted ca keys, auth attempts) on your own. ________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+manojampalam=live.com@xxxxxxxxxxx> on behalf of Erik Johnston <erikj-openssh@xxxxxx> Sent: Tuesday, June 25, 2019 10:22:55 AM To: openssh-unix-dev@xxxxxxxxxxx Subject: Requiring certificate signature and an authorized key to authenticate Hey everyone, Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user presents a signed key. The motivation behind this is that I've been looking at using a self-service cert authority that lets users get their keys signed by the CA in a restricted way, e.g. be IP locked, have expiry times, requires third party approval to get access to certain hosts, etc. However, I'm uncomfortable having a single server have the CA cert, since if the box gets owned they get credentials to access everything. Hence wondering if we could require having both a valid key *and* a valid signature from the CA, as then having the cert by itself is useless. Thoughts and suggestions welcome, including that this sounds like a terrible idea and I'm doing it wrong. Thanks, Erik _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=02%7C01%7C%7Cf231135f471049fd07e908d6f991f2b5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636970802567816448&sdata=%2F4zOz7AZiau%2BN2o5X92cgYt8QQ6PU1APwr%2B5e8wfC2Q%3D&reserved=0 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
