I want to configure sshd to require that a connection authenticate with both a key and a password.
I haven't looked at using PAM or other external authentication methods yet, but my guess at the moment (based on sshd_config(5) is that this is not possible. Prove me wrong. Please?
If you are using openssh, I don't believe you can do this. There are other SSH2 daemons out there which allow extended SSH2 directives giving you a directive called "RequiredAuthentications" and "AllowedAuthentications"; both of which are comma separated lists. You can see a nifty chart of compatibility at:
http://hell.org.ua/Docs/oreilly/tcpip2/ssh/ch05_05.htm
If this is a requirement you have, you should change out your ssh daemon. The config would then be:
AllowedAuthentications password,publickey
RequiredAuthentications password,publickey
Cheers
If you create an certificate with a pass phrase on it, then it will require you to enter that pass phrase when you log in with certificate authentication.
http://novosial.org/openssh/publickey-auth/
Pay particular attention to 'Key Generation' for generating a key with a passphrase, and to 'Key Distribution' for enabling login to a given server with that passphrase-protected key
