On 03.08.25 11:54, Eduardo Suarez-Santana wrote:
I've observed that password authentication typically passes through the server-side PAM authentication modules. This may be useful for instance to unlock an encrypted home directory using the user's password.
[...]
I wonder whether an hybrid authentication method could be implemented, where the password of the user is stored along with the authorized public key in the server, but instead of storing it in plain text, it would be stored encrypted with the public key. So that, I'm proposing a new authentication method that would send the encrypted password to the client, so the client could decrypt it with the private key, and then send it back to the server.
My .02:I'm wondering whether there actually is a use case for (or, much resource savings to be obtained by) SSH logins that do *not* make $HOME available.
Because if -- there are none, -- you *want* people to do *keypair* auth to log into the server, and -- sshd defers the password auth to PAM (as you said it does, above),I would expect that setting "AuthenticationMethods publickey,password" already does everything that's really required from the *server* side.
It would differ from your proposal in that the password would actually come only from the client side, eliminating the need for the (completely new) "server sends encrypted password to client for decryption" part. I'd *guess* that that greatly reduces the amount of coding required, and it would also mean that the security model remains "*all* sensitive material is stored only on the client", as it is with only-keypair-auth currently; might save a lot of thinking about potential new attack surfaces opened by a change.
What would remain to be done is to (decrypt as needed on and) send the password from the client to the server in a (semi-)automated way. As the manpage for sshpass(1) will tell you
https://linux.die.net/man/1/sshpassthat's not something that the OpenSSH devs are terribly fond of, but it *can* be done with third party software (like, surprise, sshpass). In particular, if you have an agent running for GnuPG as well as for SSH, you may want to look at "Example 4" on
https://www.redhat.com/en/blog/ssh-automation-sshpass for an idea how to connect the pipes ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
