beermonster

Not everyone knows that you can use MFA with SSH. I’ve successfully used Google authenticator via PAM[1] and YubiKey[2].

You can also setup SSH certificate authorities instead of using self-signed ones [3]

[1] https://wiki.archlinux.org/title/Google_Authenticator

[2] https://developers.yubico.com/SSH/

[3] https://jameshfisher.com/2018/03/16/how-to-create-an-ssh-cer...

yencabulator
And you can use a Yubikey hardware key as a ecdsa-sha2-nistp384 secret store, without messing with PAM or needing custom key types or special files on the client host: https://github.com/FiloSottile/yubikey-agent