On Wed, Mar 27, 2019 at 5:34 AM Boris Epstein <borepst...@gmail.com> wrote:
> > > On Wed, Mar 27, 2019 at 2:31 AM Ted Unangst <t...@tedunangst.com> wrote: > >> Boris Epstein wrote: >> > Thanks. It makes sense to be able to select login methods under some >> > circumstances - but do I have an option of forcing the user to log in >> using >> > a predetermined set of methods (for instance, password and then a secure >> > key, or password and Yubkey, or password and SSL key)? >> >> If you want to require two methods, you have to specify a combined method, >> with an appropriate utility in /usr/libexec/auth. This is tricky because >> the >> API only allows for one challenge/response, not a series of them. (Unless >> I'm >> mistaken.) >> > > It is interesting because some people mention combined methods - like SSL > hostkey + some second factor being used just in that fashion: > > https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html > > But based on my experience thus far it looks like Ted is right. So I may > have to write a utility for combined login. What should that utility do - > call the two methods in question and return true or false depending on > whether they succeed? > > Thanks for all the help. > > Boris. > > And here is another interesting tidbit: > > https://jonwillia.ms/2016/04/22/2fa-openbsd-ssh-google-authenticator > > I may try to follow the same pattern and see if that works. >
