On Tue, 25 Jun 2019, Erik Johnston wrote: > Hey everyone, > > Basically, I'm trying to figure out if I can configure sshd to require > that the user has a key that has been signed by a trusted user CA > *and* is listed separately as an authorised key (or the user has a > signed key and a different authorised key)? > > The closest I've come is having an `authorized_keys` file have > two entries consisting of the CA key and a normal key with > `AuthenticationMethods: publickey,publickey` option set, so that sshd > requires that a user produces both the normal key and a signed key. > This works, but means a user can't then have multiple keys (e.g. one > per device), and feels somewhat brittle in that adding a key to that > file breaks the requirement that the user presents a signed key. There's no good way to express multi-factor authentication using just keys in sshd_config at the moment. You've hit on what is the closest that you can do - listing each of the keys that you require and setting AuthenticationMethods=publickey,publickey This only happens to work because most* versions of sshd will refuse to allow a single public key to pass multiple required authentications. That this allows MFA using pubkeys only isn't quite accidental behaviour (I had this case in mind when I implemented it), but its still a long way from a proper system. I'm certainly open to implementing the other parts that are needed to pure-pubkey MFA, but I'm unsure what the sshd configuration UI would look like. So let me ask: how would you like it to work? I guess the cert+plain key combo is likely to be a fairly common requirment. Maybe we could bundle the keys required into the AuthenticationMethods line, e.g. AuthenticationMethods publickey:CA/9+CulD19jyl0DEPteRcXM8uVbYsG3MgbSslrgXkt458,publickey -d * versions prior to 6.8 didn't enforce this _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
