[ds9]

In case anyone ever wonders why "disable password logins" is commonly used as a synonym for "use keys", it's because of the config file and the way SSH for Linux works. If you enable both passwords and keys, then either will succeed instead of both being required! This unintuitive result is a rather dire "gotcha" for anyone new to the task.

Personally I would like to have both, in succession, but have not found a way to configure it. This would be simpler than the SSH-to-SSH solution.

[kaoD]

> Personally I would like to have both, in succession

Key files can be password protected. Do you mean "(key+password) + password" or just not aware of passworded keyfiles?

[thwarted]

If you can force authentication via both private key and a password, then you're authenticating via both "something you have" (the key), and "something you know" (the password). Having a passphrase on the key protects access to the key, but it doesn't provide any additional levels of authentication to the (remote) system that is requesting authentication — after all, the user could have removed the passphrase from the key file, there's no way for the remote system to know.

Unfortunately, there doesn't seem to be a way to require both a key and a passphrase to be entered. There may be a way to do it with some (custom?) pam configuration/modules, but as far as I know, nothing in sshd itself.

[phamilton]

Not sure how robust it would be, but you can set a default shell that would be a simple script requiring log in before launching bash. That would give you both.

[ds9]

Different issue. It is definitely best practice to use a long passphrase to protect every secret key, this is off topic.

What I meant was, you connect to the SSH server and authenticate cryptographically (use passphrase locally when prompted) - then you also need a logon + password for the SSH server to complete the authentication. This would reject the internet noise banging on the port, but impose a 2 factor test.

[tptacek]

If you want two factors for SSH authentication, you can and should set up a two-factor auth system, like Duo.