Look at certificates. This way the user would need a certificate, password for the said certificate (ok ok so it's possible to have certs without a password) and disable password only authentication. Thank you -- Vlad G. -----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Ryan Kish Sent: Wednesday, April 22, 2009 4:02 PM To: secureshell@xxxxxxxxxxxxxxxxx Subject: Requiring Dual Factor Authentication / Multiple Authentication Hello List. I am currently trying to determine how I can implement two factor authentication for some servers that sit on border networks. Ideally, a user would be required to use an rsa/dsa key & their system login password to gain access. This way, they are using something they have (rsa/dsa key) and something they know (password). It would allow me enforce complex passwords as well as expiration time on the server side. Searching for previous posts on this subject has not been easy, but I did come across a thread from 2006: http://marc.info/?t=114928353600001&r=1&w=2 At that time, it looks like OpenSSH did not have the capabilities to enforce multiple authentication. Has this changed? Are there other ideas on how I could enforce password complexity and still utilize rsa/dsa keys? Thanks for your time, Ryan
