Hi All, Recently I had a chance to play with ./sysutils/login_oath and ./security/oath-toolkit ports maintained by Stuart Henderson. Both ports work fantastic, thanks Stuart!
However I have a general question regarding various auth options with SSH (hopefully this list is OK for this discussion). There are obvious benefits to both public key and OTP authentication and they are very useful and unique in their own ways. But which one would you consider more secure? I am aware that "more secure" depends on the situation, such a whether the login is happening from a trusted terminal, how is the secret key stored on the device that is generating TOTP, is the public key encrypted, etc. But what are your thoughts in general? Would it make sense to have the ability to allow OpenSSH on OpenBSD to allow both public key and OTP to be used simultaneously (like RedHat's patch allows using RequiredAuthentications2 option to sshd_config)? Or does it make things needlessly complex? Thanks everyone! --peter
