On Tue, 31 Aug 2010, Robert Hajime Lanning wrote:
ssh is not written to do that.
It authorizes on first successful authentication.
The closest thing you can do is distribute PKCS#11 compatible hardware
tokens and configure the ssh client to use the key from there.
This will implement two factor authentication.
1) the token (the key never leaves the token)
2) password authentication to the token to unlock access to use the key.
Actually, the answer you're looking for is called "securID", or other
similar products like cryptocards or tokens by Vasco or securecomputing.
Specifically, the "RSA way" is you concatenate the token code with your
password, so your password is foobarNNNNNN, and the radius/pam server
knows to do a "split" on that point, and compare the values separately.
It is also possible to do full on challenge-response authentication, in
the classic "you type the challenge into your token, and the token gives
you a response" method.
You can use this, for example, with OPIE (also known as s/key), which has
the advantage of blocking replay attacks (passwords are discarded on use),
and being usable over unencrypted channels.
And yes, you could work this with LDAP, but it's nontrivial and probably
requires some custom PAM programming to chain the functionality together.
I have not seen a free, off-the-shelf product that does this.
-Dan
--
"SOY BOMB!"
-The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan
Performance.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
