[GH-ISSUE #474] Disable MFA verification when using an SK #123

New issue

Open

opened 2026-05-07 00:19:11 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 00:19:11 +02:00

Owner

Copy link

Originally created by @perrze on GitHub (Apr 23, 2024).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/474

Hi,
This message is more of a bastion setup question than a issue on the code itself.
Since v3.16.00 (youhou) we can use SK keys to connect to bastion.
But we still need to use MFA after the key is used.
Since, in my organization we consider (is it true ?) that using SK keys constitute a MFA, we thought to disable MFA enforcement.
But since we don't have a lot of money (being a french non-profit) we can't afford buying FIDO keys to everyone.

I wonder if you had ideas to how disable MFA when a user is using SK keys to connect but enforce it when he is using "normal ssh key" ?

I search the web and it doesn't openssh offers the possibility to Match on type of key used. And a group like "nopam" doesn't work because a user could have both sk and not sk keys on his account.

Thanks for your answers, if a change of code is needed I will be pleased to help writing it !
Perrze.

Originally created by @perrze on GitHub (Apr 23, 2024). Original GitHub issue: https://github.com/ovh/the-bastion/issues/474 Hi, This message is more of a bastion setup question than a issue on the code itself. Since `v3.16.00` (youhou) we can use SK keys to connect to bastion. But we still need to use MFA after the key is used. Since, in my organization we consider (is it true ?) that using SK keys constitute a MFA, we thought to disable MFA enforcement. But since we don't have a lot of money (being a french non-profit) we can't afford buying FIDO keys to everyone. **I wonder if you had ideas to how disable MFA when a user is using SK keys to connect but enforce it when he is using "normal ssh key" ?** I search the web and it doesn't openssh offers the possibility to Match on type of key used. And a group like "nopam" doesn't work because a user could have both sk and not sk keys on his account. Thanks for your answers, if a change of code is needed I will be pleased to help writing it ! Perrze.

BreizhHardware referenced this issue 2026-05-07 00:20:02 +02:00

[PR #123] [MERGED] fix: config: be more permissive for documentationURL regex #255

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#123

No description provided.