PAM is used for all authentication tasks, including login. Indeed, PAM exists so that
you can alter or enhance the login (or any other) authentication process without otherwise changing any of the underlying code.
Generally speaking, "if one password isn't good enough, two passwords or n
passwords won't be any better." (It simply increases the probability that the passwords will be written on a little note that's taped underneath the keyboard.
Consider... authentication tokens (smart cards, etc.), thumbprint recognizers, or, in the case of ssh
the password authentication option with the use of RSA digital certificates which are password-encrypted.
is another very powerful tool to use in association with ssh
. It can store passwords in a secure store and supply them on-demand to any ssh-enabled app which needs to use them, e.g.
to unlock digital certificates. This is why I can log on to a distant system using a certificate with a passphrase of "Q%]`Upv@gz
" and I never actually have to type that.
Should the computer holding the certificate be compromised, the owners of the distant system invalidate that certificate so that it becomes utterly useless even if the thief manages to unlock it. (And there is a time-lock, too: I can't log on at 3 AM.)