requiring both password and rsa

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
What is the latest solution to requiring both a password and RSA with
OpenSSH's sshd?   I see some references to patches, but cannot follow
what is recommended.   Is it in the base release now?

If someone walks off with another's laptop, the private key is stolen,
so a combination of what-you-know with what-you-have is required.

Re: requiring both password and rsa

Are they not using password protected private keys?  The private key may
be stolen, but assuming that it has a non-trivial password on it, the
attacker is not going far in any short period of time.  Regardless of
whether you had an extra "system" password for ssh or not, once the
private key has been stolen, you are going to need to regenerate the
public / private key pair because it is now suspect.  If your procedures
for this situation are timely, the attacker is very unlikely to have had
time the "crack" the private key.

Further than that, if the password has already been compromised on the
private key, for example using a key logger, what extra protection will
a system password afford you as this password could be compromised using
the same method?

private key = what you have
private key password = what you know


Maraudius wrote:
Quoted text here. Click to load it

My $0.02

Site Timeline