Minor documentation correction
candlerb opened this issue · 1 comments
In README.md it says:
OpenSSH do not support use publickey and other auth together.
I just wanted to point out that's not actually correct (although it's true for Go's x/crypto/ssh server).
In sshd_config you can put:
AuthenticationMethods publickey,keyboard-interactive:pam
and this requires the user to provide both a public key and a successful keyboard-interactive challenge. I use this with pam_yubico to require a token login in addition to publickey.
This is documented in the sshd_config manpage:
If the default is overridden, then successful authentication requires completion of every method in at least one of these lists.
For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication.
I further tweak this so that logins from the internal network require only publickey, but logins from the Internet require both publickey and token:
# Policy for authentication
AuthenticationMethods publickey,keyboard-interactive:pam
# From office and VPN addresses, 2FA not required
Match Address 192.168.0.0/16, 10.0.0.0/8, 2001:db8::/32
AuthenticationMethods publickey
you know what
this is why i built piper
i am going to paste your example in readme
thanks