Damien,
Thanks, it would be great if this functionality could be added!
I haven't thought about the syntax too much other than my quick proposal
below. But assuming the old syntax would be left as is and the new
multiple source syntax would be optional? Maybe 'publickey' could be an
alias for 'publickey[0]' for backward compatibility, and the same thing
for the accompanying AuthorizedKeys* options that would be referenced?
Jim
On 2020-06-03 19:13, Damien Miller wrote:
On Wed, 3 Jun 2020, mailto428496 wrote:
I don't see a way to do this currently (unless I am missing something)
but I would like to be able to specify, that in order for a user to
login, they need to use at least 1 public key from 2 separate key
sources. Specifically this would be when using "AuthenticationMethods
publickey,publickey". Right now requiring 2 public keys for
authentication will allow 2 public keys from any authorized key source
specified without distinction. I would like a way to say, require 1 key
from source A and 1 key from source B.
Like if there was a way to specify something like this for example:
AuthenticationMethods publickey[1],publickey[2]
AuthorizedKeysCommand[1] <source_a_command_script>
AuthorizedKeysCommand[2] <source_b_command_script>
and the same for AuthorizedKeysFile (for our needs multiple commands
would be fine, but might as well support it for both)
There's no way to do this at present. If we can figure out a good
syntax for expressing it, then we could add it (a few people have
asked for similar things before).
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
