How can I enable both password and public key authentication with OpenSSH
Solution 1
Not presently. But there are some patches floating around that are supposed to add this.
See https://bugzilla.mindrot.org/show_bug.cgi?id=983
Solution 2
This is finally available as of OpenSSH 6.2 (released March 2013), using the AuthenticationMethods
configuration option.
For instance, you may add the following line to sshd_config
to require both public-key and password authentication:
AuthenticationMethods publickey,password
When logging in, ssh
and scp
will first perform public-key authentication, and then prompt for a password:
$ ssh [email protected]
Authenticated with partial success.
[email protected]'s password:
If you have a password on your private key file, you will of course first be prompted for that. Example using PuTTY:
Using username "user".
Authenticating with public key "rsa-key-20131221-user"
Passphrase for key "rsa-key-20131221-user":
Further authentication required
[email protected]'s password:
Solution 3
OpenSSH in RHEL/CentOS 6.3 now supports this feature, although I can't find it mentioned in the OpenSSH release notes. From the RHEL release notes:
SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The
RequiredAuthentications1
andRequiredAuthentications2
options can be configured in the/etc/ssh/sshd_config
file to specify authentications that are required for a successful log in. For example:~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config
For more information on the aforementioned
/etc/ssh/sshd_config
options, refer to thesshd_config
man page.
Related videos on Youtube
Comments
-
surprise_ over 1 year
I would like for sshd to verify the users' public key and then prompt for their password, rather than just one or the other. Is this possible?