On 2024/10/21 12:02, David Lang via openssh-unix-dev wrote: > A cert is a single factor, so is a password. Cert authentication > is only two factor if you trust that the password is not stored > along with the cert (which is on the untrusted client) You can tell sshd to require *both* password and public key. > This is why I push for challenge/response tokens, not simply > cert authentication, and really wish that FIDO (such as yubikey) > was an option, but the discussions I've seen about suporting > that have not been encouraging. hmm? That works pretty well in OpenSSH. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
