On 2013-03-04, Peter Bisroev <pe...@int19h.net> wrote: > Hi All, > > Recently I had a chance to play with ./sysutils/login_oath and > ./security/oath-toolkit ports maintained by Stuart Henderson. Both > ports work fantastic, thanks Stuart! > > However I have a general question regarding various auth options with > SSH (hopefully this list is OK for this discussion). There are obvious > benefits to both public key and OTP authentication and they are very > useful and unique in their own ways. But which one would you consider > more secure? > > I am aware that "more secure" depends on the situation, such a whether > the login is happening from a trusted terminal, how is the secret key > stored on the device that is generating TOTP, is the public key > encrypted, etc. But what are your thoughts in general?
I think it totally depends on the situation and can't really be applied in general.. Either of them can be made to be unsafe. > Would it make sense to have the ability to allow OpenSSH on OpenBSD to > allow both public key and OTP to be used simultaneously (like RedHat's > patch allows using RequiredAuthentications2 option to sshd_config)? Or > does it make things needlessly complex? > > Thanks everyone! > --peter > > OpenSSH has this in -current, see sshd_config(5) AuthenticationMethods.
