Subject: OpenSSH with S/Key AND password authentication
To: None <>
From: Ryan Cresawn <>
List: tech-pkg
Date: 09/02/2004 21:28:29

I hope I'm asking this question in the right location.  I'm not sure
if it would better be asked on tech-security.

Is there currently any effort underway to import OpenPAM into pkgsrc?
I ask because I'd like to follow some of the guidelines found in this

I am specifically interested in using OpenSSH with both S/Key AND
password authentication required.  This is different from the OR logic
found in the `sshd_config' file.  According to the article mentioned
above it should be possible with OpenPAM, now standard on FreeBSD, to
require both methods of authentication to succeed for a successful
login.  I'm not sure if this can be achieved with Linux-PAM which is
found under `/usr/pkgsrc/security/PAM'.  I did install it today on
NetBSD 1.6.2 but failed to find modules which seemed like they would
work with S/Key.

By the way, many people have asked why I'm not happy with
public/private key-based authentication.  My answer is that I have no
way to guarantee that my private key can be with me at all times that
I might need it.  I do know, however, that I will have my one-time
password list with me and my password memorized.

As an alternative to using a version of PAM to achieve my goal would
it be possible to modify OpenSSH to perform a logical AND instead of
OR for its authentication requirements?  For my purposes this would be
good enough as I'm currently only interested in implementing this kind
of security for fewer than five users of OpenSSH.