Hacker News new | ask | show | jobs
by samarudge 5383 days ago
If you're running a recent version of OpenSSH, you can add the 'ForceCommand' param to sshd_config to add it for all users. The only downside to this is it is for all users, so if you run something that needs to use key based login without the two factor method you'll need to validate that yourself within the script.
3 comments
tobiasu 5383 days ago
> The only downside to this is it is for all users

Look up the Match command, you can limit ForceCommand and many others to a specific "User, Group, Host and Address."

link
zobzu 5383 days ago
it seems to me that you're doing 2 factor on the ssh key decryption. That's not so useful IMO from the security point of view. The factor should be an alternative to the ssh key itself aka server side aka via ForceCommand as suggested
link
moomerman 5383 days ago
Cool, I wasn't aware of that option. Thanks!
link