On Wed, 21 Oct 2020, Jan Bergner wrote: > > Hello all, > > in order to connect to my SSH servers from untrusted devices like company computers or my smartphone, I set up 2FA with > google-authenticator hooked into PAM. > > However, this is not really 2FA at least for the smartphone, since I use the same device for generating the TANs and it > is also at least inconvenient to always require a new TAN for each connection. I do not want to solely rely on SSH keys > on these devices since - as I pointed out - I do not really trust them. > > So, my idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course, > I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use > something like > > AuthenticationMethods publickey,password Since the main difference here is how much you trust the originating host, you might want to consider setting up host-based authentication for those hosts and using a config like: AuthenticationMethods publickey,password publickey,hostbased This would allow users to log in with (public key AND password) OR (public key and host-based). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev