I'm trying to understand whether using both an SSH key and a normal Linux user password counts as two-factor authentication. I'm not referring to SSH key passphrases; I'm talking about the standard user passwords. For example, with this configuration in sshd_config: PasswordAuthentication yes, PubkeyAuthentication yes, AuthenticationMethods publickey,password. Can someone explain their reasoning behind whether this setup qualifies as two-factor authentication?
8 Answers
Technically, yes, it qualifies as two-factor authentication. However, if the same password is used to access both the remote system and the private key, then it's not very secure because the risk of key compromise increases. It's best practice to also have a password on your key. This way, the key is not only encrypted on disk but also protected against someone logging in as you or if you leave your session unlocked. A more secure option is to use a hardware device like a YubiKey with a PIN that can’t be extracted.
Nah, the password alone just decrypts the key for usage, so technically you're still only authenticating with one factor for the host.
Definitely yes! You're using both a key and a password, which are two distinct factors: something you possess and something you know.
Having both factors on the same device isn’t a great idea. It defeats the purpose of two-factor authentication if both factors are compromised together.
I think the request for reasoning is a bit much—seems like asking for someone to do the homework here!
No, it's not two-factor authentication. The reason is that your example allows logins with either a password or an SSH key, which means it doesn't require both at the same time. To be two-factor, you need to use both methods together, so in this case, it doesn't fit the definition.
Actually, the AuthenticationMethods you mentioned is an AND condition, not OR. So, having both publickey and password means both factors are indeed required for successful authentication. Just check the man page for sshd_config!
I agree, it does require both.
It's not two-factor unless the SSH key is properly secured, otherwise it can't be trusted as a valid factor. Generally, SSH key management isn't something many people excel at.
I agree. It's frustrating you can't tell if the key is encrypted on the client side from the server.
I'd say yes. Using a key (something you have) and a password (something you know) technically qualifies as two-factor. But does SSH prompt for a password when a public key is used? That might depend on the configuration. Also, you can set up MFA using PAM with TOTP for even better security options!
But I meant a password, not a passphrase, which is a different context.