There are a great many guides that are using google authentication as a two factor source for SSH, and this is fine for one off servers where you are the one and only admin of that server. However there are several problems for a multi-server and/or multi-user environments. Let’s review these problems, getting a better understanding of two factor auth, and some solutions.

Problem 1: The secret key is stored in your user’s home directory on the server. With it, you can generate tokens at any time. This means that if your server gets compromised, they can now generate your one time tokens at will. If you have 10 servers using the same token, they can generate that token for all of them.

The other day, my friend was asking how to encrypt a file public key. I assumed he meant a PGP key, but he was actually talking about ssh keys. A quick google shows people have asked this question before, with kind of lack luster answers.

The majority of ssh keys are actually RSA keys, which is good as they are the only type of ssh keys which can also encrypt. It also happens to be the majority of PGP keys are also RSA keys. As a result, the underlying encryption of PGP messages and authenticating to a server are usually the same.