ssh is not written to do that. It authorizes on first successful authentication. The closest thing you can do is distribute PKCS#11 compatible hardware tokens and configure the ssh client to use the key from there. This will implement two factor authentication. 1) the token (the key never leaves the token) 2) password authentication to the token to unlock access to use the key. You do loose the LDAP auth in doing this. 2010/8/31 Илья Скорик <ilya@xxxxxxxxx>: > Approximately so. > > A problem that people from an enterprise network have access to the > server. And there is Windows in their network. Recently the virus has > stolen passwords at one of managers, has entered on the one of servers > and has download the bad software. > > I would like will restrict access in case of simple larceny of > passwords by viruses, but I am not able to do it standard manner. > Because from server side all managers come from one ip addresses. Also > I don't want to setup authorization through a public key. Since it > isn't compatible with ldap authorization on the server. And managers > can come on the server without entering any passwords. > > All that I want is a mandatory presence of a public key and standard > authorization with request of the password which is stored on the > server. -- And, did Galoka think the Ulus were too ugly to save? -Centauri
