On Mon, Aug 04, 2025 at 10:58:10AM +0300, Alexander Bokovoy wrote: > On Няд, 03 жні 2025, Eduardo Suarez-Santana via openssh-unix-dev wrote: > > Hi, > > > > this is just an idea. > > > > I've observed that password authentication typically passes through the > > server-side PAM authentication modules. This may be useful for instance to > > unlock an encrypted home directory using the user's password. > > > > On the other side, public key authentication may be run passwordless from the > > client, which is also a great feature, but it does not allow to unlock the home > > directory. > > > > I wonder whether an hybrid authentication method could be implemented, where > > the password of the user is stored along with the authorized public key in the > > server, but instead of storing it in plain text, it would be stored encrypted > > with the public key. > > This already can be achieved by specifying multiple values in > AuthenticationMethods option. The documentation even provides this > example: > > For example, "publickey,password publickey,keyboard-interactive" > would require the user to complete public key authentication, followed > by either password or keyboard interactive authentication. Please correct me if I'm wrong, but as far as I understand, that way the user would have to enter the password anyway after the public key authentication, which is not what I meant. What I was thinking is that the user could for instance use only the ssh agent to log in for passwordless access. However the server would still receive the password and process the auth PAM modules. I believe that this could even work when using PKCS#11. -Eduardo _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
