On Tue, 31 Aug 2010, Robert Hajime Lanning wrote:
ssh is not written to do that. It authorizes on first successful authentication. The closest thing you can do is distribute PKCS#11 compatible hardware tokens and configure the ssh client to use the key from there. This will implement two factor authentication. 1) the token (the key never leaves the token) 2) password authentication to the token to unlock access to use the key.
Actually, the answer you're looking for is called "securID", or other similar products like cryptocards or tokens by Vasco or securecomputing.
Specifically, the "RSA way" is you concatenate the token code with your password, so your password is foobarNNNNNN, and the radius/pam server knows to do a "split" on that point, and compare the values separately.
It is also possible to do full on challenge-response authentication, in the classic "you type the challenge into your token, and the token gives you a response" method.
You can use this, for example, with OPIE (also known as s/key), which has the advantage of blocking replay attacks (passwords are discarded on use), and being usable over unencrypted channels.
And yes, you could work this with LDAP, but it's nontrivial and probably requires some custom PAM programming to chain the functionality together.
I have not seen a free, off-the-shelf product that does this. -Dan -- "SOY BOMB!" -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------