On 03/08/2025 10:54, Eduardo Suarez-Santana via openssh-unix-dev wrote:
I wonder whether an hybrid authentication method could be implemented, where the password of the user is stored along with the authorized public key in the server, but instead of storing it in plain text, it would be stored encrypted with the public key. So that, I'm proposing a new authentication method that would send the encrypted password to the client, so the client could decrypt it with the private key, and then send it back to the server. Finally, the server would use the decrypted password to authenticate the user against the PAM modules. This way, the user would be able to unlock the home directory, and at the same time, the public key authentication would be passwordless.
The nearest existing mechanism I can think of is SSH agent forwarding. Unfortunately, AFAIK the SSH agent protocol only has a "sign" operation, not a "decrypt" operation. But it is extensible.
An example of how a PAM module can interact with SSH agent: https://github.com/uber/pam-ussh
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
