On 18/10/2013 12:23, Tanstaafl wrote: > On 2013-10-17 10:30 PM, Walter Dnes <waltd...@waltdnes.org> wrote: >> I apologize. That is arguably a two factor system. When you said >> "ssh key and password", I "jumped to delusions", assuming that it was a >> standard ssh connection with the option of either key or password. > > Side question... > > So, wouldn't the simplest two-factor authentication be an SSH key that > required a password? >
No, there is no way to verify that a user has enabled a passphrase on an ssh key. Passphrases are designed to be used by the user to protect the user's private key and cannot be controlled by the listening sshd. The reason this is "two factor" is that hop 1 is a Unix host and like all good sysadmins I enable key auth only. The next hop is the Cisco routers and believe it or not, most of them are telnet only. Yes, you heard right: telnet. Recent Cisco firmware supports ssh but a) it kills the poor PowerPC cpu with 10 concurrent connections and b) costs a lot of license money. Ingenious measures are in place to mitigate the risk of telnet, it is certainly nothing like running telnetd over the open internet. -- Alan McKinnon alan.mckin...@gmail.com
