Hi, this is just an idea. I've observed that password authentication typically passes through the server-side PAM authentication modules. This may be useful for instance to unlock an encrypted home directory using the user's password. On the other side, public key authentication may be run passwordless from the client, which is also a great feature, but it does not allow to unlock the home directory. I wonder whether an hybrid authentication method could be implemented, where the password of the user is stored along with the authorized public key in the server, but instead of storing it in plain text, it would be stored encrypted with the public key. So that, I'm proposing a new authentication method that would send the encrypted password to the client, so the client could decrypt it with the private key, and then send it back to the server. Finally, the server would use the decrypted password to authenticate the user against the PAM modules. This way, the user would be able to unlock the home directory, and at the same time, the public key authentication would be passwordless. I'd love to hear your thoughts about this idea. -Eduardo _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
