Two factor authentication uses a common access card and personal identity verification (CAC/PIV) card in SSH.
Digital certificates in the X.509v3 format (RFC5280) are used to provide identity management for both SSH Client and Server. A chain of signatures by a trusted root certification authority and its intermediate certificate authorities binds a given public signing key to a given digital identity. The term Non-Person-Entity (NPE) is used to describe the certificates assigned to hardware such as web servers, switches, and routers.
For user authentication, the SSH client sends the user's certificate stored on the Personal Identification Verification (PIV) card or Common Access Card (CAC) to the SSH server for verification. The SSH server running on SLX device validates the incoming user certificate using public key infrastructure (PKI) trust-store.
After the validity of the user certificate has been obtained as valid (i.e. not expired or revoked) the second part is to "Authorize" the user and set the privilege level of the user account against LDAP (if configured) or the locally defined user account (if LDAP is not configured). The user name is in the format EPIDI@domain (extracted from subject Common Name) in case of CAC or CHUID@domain (extracted from SAN principal name) in case of PIV. EDIPI is the term that the United States DoD uses and it is a 10-digit number and a subset of CHUID (the term NIST uses). CHUID is a 14 digit number.
If the LDAP/Radius Server is not reachable or it is not configured, the authorization falls back locally on the device for the configured user name.