On 2013-10-28, Pieter Verberne <[email protected]> wrote:
> What I actually wanted to do: I want to use two-factor authentication
> over ssh using passwd+yubikey. Is this possible? It looks like yubikey
> will 'replace' passwd authentication, and cannot supplement it.
You're right, login_yubikey does replace passwd auth. bsdauth doesn't
let you request multiple passwords. Only way I came up with to achieve
this was to have a single bsdauth method which requests an otp *and*
password, and checks both of them (used for login_totp-and-pwd in the
login_oath package)..
> Off topic:
> How safe is certificate authentication? I'll use an encrypted private
> key on my client computers. If someone gets his hands on the encrypted
> key, they can do an offline password attack, which seems less safe than
> an online attack.
Certainly less noisy..
SSH will let you require 2-factor auth with both a "password-like login
method" which could be a password or a yubikey, and the ssh key. See
sshd_config(5):
AuthenticationMethods
Specifies the authentication methods that must be successfully
completed for a user to be granted access. This option must be
followed by one or more comma-separated lists of authentication
method names. Successful authentication requires completion of
every method in at least one of these lists.
