Hello Damien, Brian and all,
thanks for the suggestions. I actually had not considered host-based
authentication and looked it up.
As I understand from my first quick reading, I would need to specify the
clients which are allowed to use host-based auth on the server with a
DNS name or an IP, which would not work for a client behind a CG NAT or
in a cellular network.
Or did I get this wrong?
So, this is also an answer to Brian. Right now, I cannot simply use IPs.
(However, it would not be out of reach to simply put all clients on a
private VPN. But I would consider that more of a work-around to the
original problem.)
Thanks and best,
Jan
Am 22.10.20 um 01:31 schrieb Damien Miller:
On Wed, 21 Oct 2020, Jan Bergner wrote:
Hello all,
in order to connect to my SSH servers from untrusted devices like company computers or my smartphone, I set up 2FA with
google-authenticator hooked into PAM.
However, this is not really 2FA at least for the smartphone, since I use the same device for generating the TANs and it
is also at least inconvenient to always require a new TAN for each connection. I do not want to solely rely on SSH keys
on these devices since - as I pointed out - I do not really trust them.
So, my idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course,
I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use
something like
AuthenticationMethods publickey,password
Since the main difference here is how much you trust the originating host,
you might want to consider setting up host-based authentication for those
hosts and using a config like:
AuthenticationMethods publickey,password publickey,hostbased
This would allow users to log in with (public key AND password) OR
(public key and host-based).
-d
--
*Jan Bergner, M.Sc. *
Senior IT Administrator
*indurad GmbH*
*The Industrial Radar Company*
Belvedereallee 5
52070 Aachen, Germany
Office: + 49 241 538070-61
Front Desk: + 49 241 538070-0
Fax: + 49 241 538070-99
jan.bergner@xxxxxxxxxxx
www.indurad.com <http://www.indurad.com/>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev