How to Configure OpenSSH for Multi-Factor Authentication Using Both Public Key and Password


4 views

When working with OpenSSH, the default authentication behavior is to try public key authentication first, and if that fails, fall back to password authentication. However, many security-conscious environments require both authentication methods to be successfully completed before granting access.

The key to enabling dual authentication lies in the /etc/ssh/sshd_config file. Here are the essential parameters you need to configure:

# Enable public key authentication
PubkeyAuthentication yes

# Enable password authentication
PasswordAuthentication yes

# The crucial setting for requiring both
AuthenticationMethods publickey,password

Let's look at a complete configuration example for a production environment:

# /etc/ssh/sshd_config snippet
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Authentication settings
LoginGraceTime 2m
PermitRootLogin no
MaxAuthTries 3
MaxSessions 5

# Enable both authentication methods
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password

# Additional security
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

After making changes to the configuration file, always test your setup:

# Test the configuration syntax
sudo sshd -t

# Reload the SSH service
sudo systemctl reload sshd

# Test the connection from client side
ssh -v user@yourserver.com

You can apply different authentication requirements for different users using the Match directive:

Match User adminuser
    AuthenticationMethods publickey,password

Match Group developers
    AuthenticationMethods publickey

When implementing dual authentication, be aware of these performance aspects:

  • Network latency for multiple authentication rounds
  • CPU usage for both public key verification and password hashing
  • Session setup time increase

Combine this with other security measures:

# Rate limiting
MaxStartups 10:30:60

# Session timeouts
ClientAliveInterval 300
ClientAliveCountMax 2

# Key restrictions
AuthorizedKeysFile .ssh/authorized_keys

Remember to monitor your SSH logs (/var/log/auth.log or /var/log/secure) regularly to detect any authentication anomalies.

OpenSSH supports multiple authentication methods, including public key authentication and password authentication. By default, it uses one method at a time. However, there are scenarios where you might want to enforce both methods for enhanced security.

To enable both public key and password authentication, you need to modify the /etc/ssh/sshd_config file. Here are the key parameters to set:


# Enable public key authentication
PubkeyAuthentication yes

# Enable password authentication
PasswordAuthentication yes

# Require both authentication methods
AuthenticationMethods publickey,password

After making changes to the configuration file, restart the SSH service to apply the changes:


sudo systemctl restart sshd

To verify that both authentication methods are required, attempt to connect to the server:


ssh username@server_ip

The server should first verify your public key and then prompt for your password.

You can further customize the authentication process by specifying different methods for different users or groups:


Match User admin
    AuthenticationMethods publickey,password

Match Group developers
    AuthenticationMethods publickey

If you encounter issues, check the SSH logs for errors:


sudo tail -f /var/log/auth.log

Common problems include incorrect file permissions for the ~/.ssh directory or the public key file itself.

While combining authentication methods increases security, ensure that:

  • Password policies are strong
  • Public keys are properly managed
  • SSH service is kept up-to-date