I have been thinking about using a key pair WITH username and password.
The Username and Password method is augmented with MFA - the username and password only entry will deliver a phone app push or you can append your password with a OTP.
This is works …100% tested.
I am trying to make it look for key as well … I had thought that the VPN would not connect at all without the key - so the key might serve as a DOS protection - as in the server would not be troubled for authentication if the key was missing. However from a brief test it seems the username has to be entered before the key is checked.
Unfortunately in the UK the keypair only gives compliance problems - all outside in apps must use MFA
If I am correct about the username and keypair combo requiring username - then I will rate limit and use other anti DOS approaches. …
See AuthenticationMethods in man sshd_config, where there is an example that describes exactly your situation and addresses exactly your concern with brute-forcing passwords. Quoting, emphasis mine:
AuthenticationMethods
Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists. For example, “publickey,password publickey,keyboard-interactive” would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example it would not be possible to attempt password or keyboard-interactive authentication before public key.
Is it possible to list just one key that all use. Giving the trusted device function?
This is my preferred method with individual Username and Password backed by MFA. The server will also automatically received new users as it is also AD Authenticated.
Sure. You can use AuthorizedKeysFile directive in sshd_config, and set it to an absolute path to a file somewhere on the host (out of reach of users), and populated it with the trusted public key, e.g.
AuthorizedKeysFile /path/to/trusted_keys
Note that this will prevent use of .ssh/authorized_keys for individual users, but I think that is actually a benefit in your case.