Zhu Wu's Blog

The world is a fine place and worth fighting for.

Use Both Private Key and Password for SSH Login

Probably you are used to SSH login authenticated by either private key or password. However, is it possible to use both of them for SSH login?

OpenSSH added support for multiple required authentication in SSH protocol 2 since OpenSSH version 6.2 (released March 2013), using the AuthenticationMethods configuration option. You can specify a list of authentication methods separated by comma in this option, and as a result, the user need to pass all the authentication methods to login to the system via SSH.

To require both public key and password authentication for SSH login, add the following line to /etc/ssh/sshd_config:

AuthenticationMethods publickey,password

In the mean time, you need to make sure that PasswordAuthentication and PasswordAuthentication are set correctly:

PubkeyAuthentication yes
PasswordAuthentication yes

Restart ssh after sshd_config is modified:

sudo restart ssh

When logging in, ssh and scp will first perform public key authentication, and then prompt for a password:

> ssh test@111.111.111.111
Authenticated with partial success.
test@111.111.111.111's password:

You need then fill in password to complete the login process.

In this way, a user needs to pass both public key authentication and server password when login via SSH.