Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP based authentication the first factor could be passed as a ssh key or certificate.
So specifically: The user's password would not be required for auth, only the key and OTP token. Is there a magic combination of AuthenticationMethods for `sshd_config` that would allow this to work?
Regards, Callum
--
Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum@well.ox.ac.ukmailto:callum@well.ox.ac.uk
On pe, 08 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP based authentication the first factor could be passed as a ssh key or certificate.
So specifically: The user's password would not be required for auth, only the key and OTP token. Is there a magic combination of AuthenticationMethods for `sshd_config` that would allow this to work?
Yes and no.
You can use multiple authentication methods, as you noted, but they are fully independent of each other. The decision making is done within sshd, not outside of it.
If you set
AuthenticationMethods publickey,keyboard-interactive:pam
both a public key and a full authentication through PAM stack would be required. Unfortunately, the latter one cannot allow you to enter only a second factor. Any PAM module taking up the authentication request would have no knowledge of the prior authentication by the public key because this is sshd's internal knowledge not passed through anywhere else. There are also no mechanism to pass that through anyhow.
freeipa-users@lists.fedorahosted.org