A possible workaround is to use an SSH key which "forces" a command of "sudo /bin/login". By doing so, one would first authenticate with the SSH key (without password), and then need to authenticate through the "regular" PAM stack (password from LDAP). I haven't tried the configuration myself, but it's worth a shot. Best regards, Filip Fafara W dniu 01.09.2010 01:35, Robert Hajime Lanning pisze: > ssh is not written to do that. > > It authorizes on first successful authentication. > > The closest thing you can do is distribute PKCS#11 compatible hardware > tokens and configure the ssh client to use the key from there. > > This will implement two factor authentication. > 1) the token (the key never leaves the token) > 2) password authentication to the token to unlock access to use the key. > > You do loose the LDAP auth in doing this. > > 2010/8/31 Илья Скорик <ilya@xxxxxxxxx>: >> Approximately so. >> >> A problem that people from an enterprise network have access to the >> server. And there is Windows in their network. Recently the virus has >> stolen passwords at one of managers, has entered on the one of servers >> and has download the bad software. >> >> I would like will restrict access in case of simple larceny of >> passwords by viruses, but I am not able to do it standard manner. >> Because from server side all managers come from one ip addresses. Also >> I don't want to setup authorization through a public key. Since it >> isn't compatible with ldap authorization on the server. And managers >> can come on the server without entering any passwords. >> >> All that I want is a mandatory presence of a public key and standard >> authorization with request of the password which is stored on the >> server.