How do I setup sshd to require both a private key and a password?
In /etc/ssh/sshd_config, I currently have:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
But apparently this allows a user to login using either a private key or password.
Best Answer
You need to setup an SSH gatekeeper. This allows openssh to permit multifactor authentication.
Here's a great link: https://calomel.org/openssh.html
Essentially, you use the ForceCommand directive to run a script when the user logs in. That script then prompts the user for the password. I'm currently looking for a method to verify a given password against the system password, but I'm coming up (understandably) blank.
If the user account is stored in an LDAP directory, you could attempt to bind to the directory using those credentials, but the problem is going to be that the program running will be running as the user, not as root. I don't know the security implications of writing the compiled code and setting it SUID.
Hopefully someone will give you a better answer.
but since I've typed this much, are you in an ultra-secure site? Because that's really the only reason for this. Normal public keys with passphrases should be more than adequate for 99% of cases out there.