On Thu, May 17, 2012 at 5:56 PM, gregrwm <tclug1 at whitleymott.net> wrote: > > but can sshd know if the key required a passphrase? No, it cannot. > if not, i want > sshd to require a password in addition to a key. anyone done this? > or seen how? What you want is some sort of two-factor authentication. There are several libraries that enable this. Some make use of a list of single-use passphrases that are entered in conjunction with your username and password, and some use a RSA SecurID-esque token that generates time-based codes that serve as the second factor. Recently, I've enabled two-factor auth on all of my various personal and work Google Apps accounts. They have a "Google Authenticator" app for smartphones that, once seeded with the unique hash for your account, generate time-based codes that you use to authenticate. It works very well. In addition to enabling two-factor auth for their own resources, Google also open-sourced a PAM module that allows server administrators to implement two-factor auth as well, using their smartphone app as the "token": http://code.google.com/p/google-authenticator/ There are many guides around that walk you through how to set this up - it's pretty straightforward. -Erik