Force PKI and Password authentication simultaneously on Ubuntu

I use AD authentication in my environment (for password-based authentication)

Current Scenario

  1. A valid AD user logs in to the Ubuntu Linux server via SSH
  2. That user adds his public key to ~/.ssh/authorized_keys for passwordless login
  3. I disable/lock/delete the AD user to prevent him from logging in
  4. The user was still able to login to the server, since his public key is still there!

Expected Scenario: If I disable/lock/delete a user’s AD account (or his AD password expires), he shouldn’t be able to login to any server with his AD account, even if his public key is installed there.

To allow this, you just need to add this to /etc/ssh/sshd_config:

AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

This will allow you to login ONLY if you have your public key installed on the server AND enter your AD password.

I would suggest this to be in PROD systems only.

Now you have the security advantages of both PKI & AD!


About SoCRaT

Systems Engineer, OSS & Linux Geek
This entry was posted in Linux, Ubuntu, Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s