On pe, 08 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP
based authentication the first factor could be passed as a ssh key or
certificate.
So specifically: The user's password would not be required for auth,
only the key and OTP token. Is there a magic combination of
AuthenticationMethods for `sshd_config` that would allow this to work?
Yes and no.
You can use multiple authentication methods, as you noted, but they are
fully independent of each other. The decision making is done within
sshd, not outside of it.
If you set
AuthenticationMethods publickey,keyboard-interactive:pam
both a public key and a full authentication through PAM stack would be
required. Unfortunately, the latter one cannot allow you to enter only a
second factor. Any PAM module taking up the authentication request would
have no knowledge of the prior authentication by the public key because
this is sshd's internal knowledge not passed through anywhere else.
There are also no mechanism to pass that through anyhow.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland