forked from rpms/openssh
447 lines
17 KiB
Diff
447 lines
17 KiB
Diff
diff -up openssh-5.9p0/auth.h.2auth openssh-5.9p0/auth.h
|
|
--- openssh-5.9p0/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200
|
|
+++ openssh-5.9p0/auth.h 2011-09-05 13:16:00.550626991 +0200
|
|
@@ -149,6 +149,8 @@ int auth_root_allowed(char *);
|
|
|
|
char *auth2_read_banner(void);
|
|
|
|
+void userauth_restart(const char *);
|
|
+
|
|
void privsep_challenge_enable(void);
|
|
|
|
int auth2_challenge(Authctxt *, char *);
|
|
diff -up openssh-5.9p0/auth2.c.2auth openssh-5.9p0/auth2.c
|
|
--- openssh-5.9p0/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200
|
|
+++ openssh-5.9p0/auth2.c 2011-09-05 13:16:00.640626827 +0200
|
|
@@ -290,6 +290,23 @@ input_userauth_request(int type, u_int32
|
|
}
|
|
|
|
void
|
|
+userauth_restart(const char *method)
|
|
+{
|
|
+ options.two_factor_authentication = 0;
|
|
+
|
|
+ options.pubkey_authentication = options.second_pubkey_authentication && strcmp(method, method_pubkey.name);
|
|
+#ifdef GSSAPI
|
|
+ options.gss_authentication = options.second_gss_authentication && strcmp(method, method_gssapi.name);
|
|
+#endif
|
|
+#ifdef JPAKE
|
|
+ options.zero_knowledge_password_authentication = options.second_zero_knowledge_password_authentication && strcmp(method, method_jpake.name);
|
|
+#endif
|
|
+ options.password_authentication = options.second_password_authentication && strcmp(method, method_passwd.name);
|
|
+ options.kbd_interactive_authentication = options.second_kbd_interactive_authentication && strcmp(method, method_kbdint.name);
|
|
+ options.hostbased_authentication = options.second_hostbased_authentication && strcmp(method, method_hostbased.name);
|
|
+}
|
|
+
|
|
+void
|
|
userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
|
{
|
|
char *methods;
|
|
@@ -337,6 +354,15 @@ userauth_finish(Authctxt *authctxt, int
|
|
|
|
/* XXX todo: check if multiple auth methods are needed */
|
|
if (authenticated == 1) {
|
|
+ if (options.two_factor_authentication) {
|
|
+ userauth_restart(method);
|
|
+ if (use_privsep)
|
|
+ PRIVSEP(userauth_restart(method));
|
|
+
|
|
+ debug("1st factor authentication done go to 2nd factor");
|
|
+ goto ask_methods;
|
|
+ }
|
|
+
|
|
/* turn off userauth */
|
|
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
|
|
packet_start(SSH2_MSG_USERAUTH_SUCCESS);
|
|
@@ -356,6 +382,7 @@ userauth_finish(Authctxt *authctxt, int
|
|
#endif
|
|
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
|
}
|
|
+ask_methods:
|
|
methods = authmethods_get();
|
|
packet_start(SSH2_MSG_USERAUTH_FAILURE);
|
|
packet_put_cstring(methods);
|
|
diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
|
|
--- openssh-5.9p0/monitor.c.2auth 2011-08-05 22:15:18.000000000 +0200
|
|
+++ openssh-5.9p0/monitor.c 2011-09-05 13:37:35.468502112 +0200
|
|
@@ -165,6 +165,7 @@ int mm_answer_jpake_step1(int, Buffer *)
|
|
int mm_answer_jpake_step2(int, Buffer *);
|
|
int mm_answer_jpake_key_confirm(int, Buffer *);
|
|
int mm_answer_jpake_check_confirm(int, Buffer *);
|
|
+int mm_answer_userauth_restart(int, Buffer *);
|
|
|
|
#ifdef USE_PAM
|
|
int mm_answer_pam_start(int, Buffer *);
|
|
@@ -259,6 +260,7 @@ struct mon_table mon_dispatch_proto20[]
|
|
{MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
|
|
{MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
|
|
#endif
|
|
+ {MONITOR_REQ_USERAUTH_RESTART, MON_PERMIT, mm_answer_userauth_restart},
|
|
{0, 0, NULL}
|
|
};
|
|
|
|
@@ -378,9 +380,9 @@ monitor_child_preauth(Authctxt *_authctx
|
|
}
|
|
|
|
/* The first few requests do not require asynchronous access */
|
|
- while (!authenticated) {
|
|
+ while (!authenticated || options.two_factor_authentication) {
|
|
auth_method = "unknown";
|
|
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
|
|
if (authenticated) {
|
|
if (!(ent->flags & MON_AUTHDECIDE))
|
|
fatal("%s: unexpected authentication from %d",
|
|
@@ -390,7 +393,7 @@ monitor_child_preauth(Authctxt *_authctx
|
|
authenticated = 0;
|
|
#ifdef USE_PAM
|
|
/* PAM needs to perform account checks after auth */
|
|
- if (options.use_pam && authenticated) {
|
|
+ if (options.use_pam && authenticated && !options.two_factor_authentication) {
|
|
Buffer m;
|
|
|
|
buffer_init(&m);
|
|
@@ -2000,6 +2006,19 @@ monitor_reinit(struct monitor *mon)
|
|
monitor_openfds(mon, 0);
|
|
}
|
|
|
|
+int
|
|
+mm_answer_userauth_restart(int sock, Buffer *m)
|
|
+{
|
|
+ char *method;
|
|
+ u_int method_len;
|
|
+
|
|
+ method = buffer_get_string(m, &method_len);
|
|
+
|
|
+ userauth_restart(method);
|
|
+
|
|
+ mm_request_send(sock, MONITOR_ANS_USERAUTH_RESTART, m);
|
|
+}
|
|
+
|
|
#ifdef GSSAPI
|
|
int
|
|
mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
|
diff -up openssh-5.9p0/monitor.h.2auth openssh-5.9p0/monitor.h
|
|
--- openssh-5.9p0/monitor.h.2auth 2011-06-20 06:42:23.000000000 +0200
|
|
+++ openssh-5.9p0/monitor.h 2011-09-05 13:16:00.855502353 +0200
|
|
@@ -66,6 +66,7 @@ enum monitor_reqtype {
|
|
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
|
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
|
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
|
+ MONITOR_REQ_USERAUTH_RESTART, MONITOR_ANS_USERAUTH_RESTART,
|
|
};
|
|
|
|
struct mm_master;
|
|
diff -up openssh-5.9p0/monitor_wrap.c.2auth openssh-5.9p0/monitor_wrap.c
|
|
--- openssh-5.9p0/monitor_wrap.c.2auth 2011-06-20 06:42:23.000000000 +0200
|
|
+++ openssh-5.9p0/monitor_wrap.c 2011-09-05 13:16:00.968503257 +0200
|
|
@@ -1173,6 +1173,26 @@ mm_auth_rsa_verify_response(Key *key, BI
|
|
return (success);
|
|
}
|
|
|
|
+void
|
|
+mm_userauth_restart(const char *monitor)
|
|
+{
|
|
+ Buffer m;
|
|
+
|
|
+ debug3("%s entering", __func__);
|
|
+
|
|
+ buffer_init(&m);
|
|
+
|
|
+ buffer_put_cstring(&m, monitor);
|
|
+
|
|
+ mm_request_send(pmonitor->m_recvfd,
|
|
+ MONITOR_REQ_USERAUTH_RESTART, &m);
|
|
+ debug3("%s: waiting for MONITOR_ANS_USERAUTH_RESTART", __func__);
|
|
+ mm_request_receive_expect(pmonitor->m_recvfd,
|
|
+ MONITOR_ANS_USERAUTH_RESTART, &m);
|
|
+
|
|
+ buffer_free(&m);
|
|
+}
|
|
+
|
|
#ifdef SSH_AUDIT_EVENTS
|
|
void
|
|
mm_audit_event(ssh_audit_event_t event)
|
|
diff -up openssh-5.9p0/monitor_wrap.h.2auth openssh-5.9p0/monitor_wrap.h
|
|
--- openssh-5.9p0/monitor_wrap.h.2auth 2011-06-20 06:42:23.000000000 +0200
|
|
+++ openssh-5.9p0/monitor_wrap.h 2011-09-05 13:16:01.074502211 +0200
|
|
@@ -53,6 +53,7 @@ int mm_key_verify(Key *, u_char *, u_int
|
|
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
|
|
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
|
|
BIGNUM *mm_auth_rsa_generate_challenge(Key *);
|
|
+void mm_userauth_restart(const char *);
|
|
|
|
#ifdef GSSAPI
|
|
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
|
diff -up openssh-5.9p0/servconf.c.2auth openssh-5.9p0/servconf.c
|
|
--- openssh-5.9p0/servconf.c.2auth 2011-06-23 00:30:03.000000000 +0200
|
|
+++ openssh-5.9p0/servconf.c 2011-09-05 13:16:01.223441110 +0200
|
|
@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
|
|
options->hostbased_uses_name_from_packet_only = -1;
|
|
options->rsa_authentication = -1;
|
|
options->pubkey_authentication = -1;
|
|
+ options->two_factor_authentication = -1;
|
|
+ options->second_pubkey_authentication = -1;
|
|
+ options->second_gss_authentication = -1;
|
|
+ options->second_password_authentication = -1;
|
|
+ options->second_kbd_interactive_authentication = -1;
|
|
+ options->second_zero_knowledge_password_authentication = -1;
|
|
+ options->second_hostbased_authentication = -1;
|
|
options->kerberos_authentication = -1;
|
|
options->kerberos_or_local_passwd = -1;
|
|
options->kerberos_ticket_cleanup = -1;
|
|
@@ -237,6 +244,20 @@ fill_default_server_options(ServerOption
|
|
options->permit_empty_passwd = 0;
|
|
if (options->permit_user_env == -1)
|
|
options->permit_user_env = 0;
|
|
+ if (options->two_factor_authentication == -1)
|
|
+ options->two_factor_authentication = 0;
|
|
+ if (options->second_pubkey_authentication == -1)
|
|
+ options->second_pubkey_authentication = 1;
|
|
+ if (options->second_gss_authentication == -1)
|
|
+ options->second_gss_authentication = 0;
|
|
+ if (options->second_password_authentication == -1)
|
|
+ options->second_password_authentication = 1;
|
|
+ if (options->second_kbd_interactive_authentication == -1)
|
|
+ options->second_kbd_interactive_authentication = 0;
|
|
+ if (options->second_zero_knowledge_password_authentication == -1)
|
|
+ options->second_zero_knowledge_password_authentication = 0;
|
|
+ if (options->second_hostbased_authentication == -1)
|
|
+ options->second_hostbased_authentication = 0;
|
|
if (options->use_login == -1)
|
|
options->use_login = 0;
|
|
if (options->compression == -1)
|
|
@@ -316,8 +337,11 @@ typedef enum {
|
|
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
|
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
|
sBanner, sUseDNS, sHostbasedAuthentication,
|
|
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
|
- sClientAliveCountMax, sAuthorizedKeysFile,
|
|
+ sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
|
|
+ sSecondPubkeyAuthentication, sSecondGssAuthentication,
|
|
+ sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
|
|
+ sSecondZeroKnowledgePasswordAuthentication, sSecondHostbasedAuthentication,
|
|
+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
@@ -395,6 +419,21 @@ static struct {
|
|
#else
|
|
{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
|
|
#endif
|
|
+ { "twofactorauthentication", sTwoFactorAuthentication, SSHCFG_ALL },
|
|
+ { "secondpubkeyauthentication", sSecondPubkeyAuthentication, SSHCFG_ALL },
|
|
+#ifdef GSSAPI
|
|
+ { "secondgssapiauthentication", sSecondGssAuthentication, SSHCFG_ALL },
|
|
+#else
|
|
+ { "secondgssapiauthentication", sUnsupported, SSHCFG_ALL },
|
|
+#endif
|
|
+ { "secondpasswordauthentication", sSecondPasswordAuthentication, SSHCFG_ALL },
|
|
+ { "secondkbdinteractiveauthentication", sSecondKbdInteractiveAuthentication, SSHCFG_ALL },
|
|
+#ifdef JPAKE
|
|
+ { "secondzeroknowledgepasswordauthentication", sSecondZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
|
|
+#else
|
|
+ { "secondzeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
|
|
+#endif
|
|
+ { "secondhostbasedauthentication", sSecondHostbasedAuthentication, SSHCFG_ALL },
|
|
{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
|
|
{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
|
|
{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
|
|
@@ -982,6 +1021,34 @@ process_server_config_line(ServerOptions
|
|
intptr = &options->challenge_response_authentication;
|
|
goto parse_flag;
|
|
|
|
+ case sTwoFactorAuthentication:
|
|
+ intptr = &options->two_factor_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
+ case sSecondPubkeyAuthentication:
|
|
+ intptr = &options->second_pubkey_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
+ case sSecondGssAuthentication:
|
|
+ intptr = &options->second_gss_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
+ case sSecondPasswordAuthentication:
|
|
+ intptr = &options->second_password_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
+ case sSecondKbdInteractiveAuthentication:
|
|
+ intptr = &options->second_kbd_interactive_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
+ case sSecondZeroKnowledgePasswordAuthentication:
|
|
+ intptr = &options->second_zero_knowledge_password_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
+ case sSecondHostbasedAuthentication:
|
|
+ intptr = &options->second_hostbased_authentication;
|
|
+ goto parse_flag;
|
|
+
|
|
case sPrintMotd:
|
|
intptr = &options->print_motd;
|
|
goto parse_flag;
|
|
@@ -1491,14 +1558,21 @@ void
|
|
copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
|
{
|
|
M_CP_INTOPT(password_authentication);
|
|
+ M_CP_INTOPT(second_password_authentication);
|
|
M_CP_INTOPT(gss_authentication);
|
|
+ M_CP_INTOPT(second_gss_authentication);
|
|
M_CP_INTOPT(rsa_authentication);
|
|
M_CP_INTOPT(pubkey_authentication);
|
|
+ M_CP_INTOPT(second_pubkey_authentication);
|
|
M_CP_INTOPT(kerberos_authentication);
|
|
M_CP_INTOPT(hostbased_authentication);
|
|
+ M_CP_INTOPT(second_hostbased_authentication);
|
|
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
|
M_CP_INTOPT(kbd_interactive_authentication);
|
|
+ M_CP_INTOPT(second_kbd_interactive_authentication);
|
|
M_CP_INTOPT(zero_knowledge_password_authentication);
|
|
+ M_CP_INTOPT(second_zero_knowledge_password_authentication);
|
|
+ M_CP_INTOPT(two_factor_authentication);
|
|
M_CP_INTOPT(permit_root_login);
|
|
M_CP_INTOPT(permit_empty_passwd);
|
|
|
|
@@ -1720,17 +1794,24 @@ dump_config(ServerOptions *o)
|
|
#endif
|
|
#ifdef GSSAPI
|
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
|
+ dump_cfg_fmtint(sSecondGssAuthentication, o->second_gss_authentication);
|
|
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
|
#endif
|
|
#ifdef JPAKE
|
|
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
|
|
o->zero_knowledge_password_authentication);
|
|
+ dump_cfg_fmtint(sSecondZeroKnowledgePasswordAuthentication,
|
|
+ o->second_zero_knowledge_password_authentication);
|
|
#endif
|
|
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
|
+ dump_cfg_fmtint(sSecondPasswordAuthentication, o->second_password_authentication);
|
|
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
|
o->kbd_interactive_authentication);
|
|
+ dump_cfg_fmtint(sSecondKbdInteractiveAuthentication,
|
|
+ o->second_kbd_interactive_authentication);
|
|
dump_cfg_fmtint(sChallengeResponseAuthentication,
|
|
o->challenge_response_authentication);
|
|
+ dump_cfg_fmtint(sTwoFactorAuthentication, o->two_factor_authentication);
|
|
dump_cfg_fmtint(sPrintMotd, o->print_motd);
|
|
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
|
|
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
|
|
diff -up openssh-5.9p0/servconf.h.2auth openssh-5.9p0/servconf.h
|
|
--- openssh-5.9p0/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200
|
|
+++ openssh-5.9p0/servconf.h 2011-09-05 13:16:01.352564530 +0200
|
|
@@ -112,6 +112,14 @@ typedef struct {
|
|
/* If true, permit jpake auth */
|
|
int permit_empty_passwd; /* If false, do not permit empty
|
|
* passwords. */
|
|
+ int two_factor_authentication; /* If true, the first sucessful authentication
|
|
+ * will be followed by the second one from anorher set */
|
|
+ int second_pubkey_authentication; /* second set of authentications */
|
|
+ int second_gss_authentication;
|
|
+ int second_password_authentication;
|
|
+ int second_kbd_interactive_authentication;
|
|
+ int second_zero_knowledge_password_authentication;
|
|
+ int second_hostbased_authentication;
|
|
int permit_user_env; /* If true, read ~/.ssh/environment */
|
|
int use_login; /* If true, login(1) is used */
|
|
int compression; /* If true, compression is allowed */
|
|
diff -up openssh-5.9p0/sshd_config.2auth openssh-5.9p0/sshd_config
|
|
--- openssh-5.9p0/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200
|
|
+++ openssh-5.9p0/sshd_config 2011-09-05 13:16:01.461565750 +0200
|
|
@@ -87,6 +87,13 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
#UsePAM no
|
|
|
|
+#TwoFactorAuthentication no
|
|
+#SecondPubkeyAuthentication yes
|
|
+#SecondHostbasedAuthentication no
|
|
+#SecondPasswordAuthentication yes
|
|
+#SecondChallengeResponseAuthentication yes
|
|
+#SecondGSSAPIAuthentication no
|
|
+
|
|
#AllowAgentForwarding yes
|
|
#AllowTcpForwarding yes
|
|
#GatewayPorts no
|
|
diff -up openssh-5.9p0/sshd_config.5.2auth openssh-5.9p0/sshd_config.5
|
|
--- openssh-5.9p0/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200
|
|
+++ openssh-5.9p0/sshd_config.5 2011-09-05 13:16:01.572564496 +0200
|
|
@@ -726,6 +726,12 @@ Available keywords are
|
|
.Cm PubkeyAuthentication ,
|
|
.Cm RhostsRSAAuthentication ,
|
|
.Cm RSAAuthentication ,
|
|
+.Cm SecondGSSAPIAuthentication ,
|
|
+.Cm SecondHostbasedAuthentication ,
|
|
+.Cm SecondKbdInteractiveAuthentication ,
|
|
+.Cm SecondPasswordAuthentication ,
|
|
+.Cm SecondPubkeyAuthentication ,
|
|
+.Cm TwoFactorAuthentication ,
|
|
.Cm X11DisplayOffset ,
|
|
.Cm X11Forwarding
|
|
and
|
|
@@ -931,6 +937,41 @@ Specifies whether pure RSA authenticatio
|
|
The default is
|
|
.Dq yes .
|
|
This option applies to protocol version 1 only.
|
|
+.It Cm SecondGSSAPIAuthentication
|
|
+Specifies whether the
|
|
+.Cm GSSAPIAuthentication
|
|
+may be used on the second authentication while
|
|
+.Cm TwoFactorAuthentication
|
|
+is set.
|
|
+The argument must be “yes” or “no”. The default is “no”.
|
|
+.It Cm SecondHostbasedAuthentication
|
|
+Specifies whether the
|
|
+.Cm HostbasedAuthentication
|
|
+may be used on the second authentication while
|
|
+.Cm TwoFactorAuthentication
|
|
+is set.
|
|
+The argument must be “yes” or “no”. The default is “no”.
|
|
+.It Cm SecondKbdInteractiveAuthentication
|
|
+Specifies whether the
|
|
+.Cm KbdInteractiveAuthentication
|
|
+may be used on the second authentication while
|
|
+.Cm TwoFactorAuthentication
|
|
+is set.
|
|
+The argument must be “yes” or “no”. The default is “no”.
|
|
+.It Cm SecondPasswordAuthentication
|
|
+Specifies whether the
|
|
+.Cm PasswordAuthentication
|
|
+may be used on the second authentication while
|
|
+.Cm TwoFactorAuthentication
|
|
+is set.
|
|
+The argument must be “yes” or “no”. The default is “yes”.
|
|
+.It Cm SecondPubkeyAuthentication
|
|
+Specifies whether the
|
|
+.Cm PubkeyAuthentication
|
|
+may be used on the second authentication while
|
|
+.Cm TwoFactorAuthentication
|
|
+is set.
|
|
+The argument must be “yes” or “no”. The default is “yes”.
|
|
.It Cm ServerKeyBits
|
|
Defines the number of bits in the ephemeral protocol version 1 server key.
|
|
The minimum value is 512, and the default is 1024.
|
|
@@ -1011,6 +1052,22 @@ For more details on certificates, see th
|
|
.Sx CERTIFICATES
|
|
section in
|
|
.Xr ssh-keygen 1 .
|
|
+.It Cm TwoFactorAuthentication
|
|
+Specifies whether for a successful login is necessary to meet two independent authentications.
|
|
+If select the first method is selected from the set of allowed methods from
|
|
+.Cm GSSAPIAuthentication ,
|
|
+.Cm HostbasedAuthentication ,
|
|
+.Cm KbdInteractiveAuthentication ,
|
|
+.Cm PasswordAuthentication ,
|
|
+.Cm PubkeyAuthentication .
|
|
+And the second method is selected from the set of allowed methods from
|
|
+.Cm SecondGSSAPIAuthentication ,
|
|
+.Cm SecondHostbasedAuthentication ,
|
|
+.Cm SecondKbdInteractiveAuthentication ,
|
|
+.Cm SecondPasswordAuthentication ,
|
|
+.Cm SecondPubkeyAuthentication
|
|
+without the method used for the first authentication.
|
|
+The argument must be “yes” or “no”. The default is “no”.
|
|
.It Cm UseDNS
|
|
Specifies whether
|
|
.Xr sshd 8
|