Tightening security on shell accounts

I have gone on a bit of a tightening of all my accounts lately and it would be great it security could be tightened on shell accounts. If someone got in they could cause a lot of damage. All that is needed is a password.

The suggestions would be

  • Ability to enable ssh key authentication only for a shell account
  • Ability to enable two-factor authentication only, eg via Google Authenticator for a shell account
  • Ability to enable password + two-factor authentication for a shell account

I’d just like this one. AFAICT it would just be:

  1. Adding a specific iwantsshauthonly group.
  2. Making a panel widget to add user to group (and remove them from it on unclick).
  3. A little bit of extra config added to the sshd