Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I don't see a way to do this currently (unless I am missing something) but I would like to be able to specify, that in order for a user to login, they need to use at least 1 public key from 2 separate key sources.  Specifically this would be when using "AuthenticationMethods publickey,publickey".  Right now requiring 2 public keys for authentication will allow 2 public keys from any authorized key source specified without distinction.  I would like a way to say, require 1 key from source A and 1 key from source B.

Like if there was a way to specify something like this for example:

AuthenticationMethods publickey[1],publickey[2]

AuthorizedKeysCommand[1] <source_a_command_script>

AuthorizedKeysCommand[2] <source_b_command_script>

and the same for AuthorizedKeysFile (for our needs multiple commands would be fine, but might as well support it for both)

Let me also give an example of why I am interested in this, for context.  We would like to associate two different types of public keys with each user's account.  One would be a "client machine" public key (of which there could be several, if the user is allowed to login from multiple systems) and the other would be a public key from a user token, such as a smartcard (we don't want 2 "client machine" public keys to be able to be combined to bypass the user's token login).  A (poor) workaround is to use the same private key on all of the users machines but I would prefer not to do this, both in general for security reasons and also so that if a user's machine is lost, stolen or we just want to deauthorize it, the pubkey for that machine can be removed from the database.

Anyway, I don't see a way to do this currently so I thought I would throw it out there as a potential future enhancement.  Or please enlighten me if there is some magic way to do this that I am missing ;-)

Thanks,


Jim

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux