[ale] OpenSSH RequiredAuthentications2 publickey,password

David Tomaschik david at systemoverlord.com
Fri Dec 28 14:20:12 EST 2012


Key + Phone Token doesn't add as much as Key + Password.  With Key + Phone
token, if I break into your hotel room and you've left your phone and
laptop, you're done.

That being said, the Google Authenticator app is just an implementation of
RFC 6238 TOTP -- and there's a PAM module available:
https://code.google.com/p/google-authenticator/

So, with current OpenSSH, you can do password + otp via PAM.

(Since we're discussing a Google product, the ysual disclaimer about this
being my opinion only, not speaking on behalf of my employer, etc. applies.)

David


On Fri, Dec 28, 2012 at 11:06 AM, Scott Plante <splante at insightsys.com>wrote:

> Rather than a password, I'd like to see something like what Google does.
> They have an app on your phone that generates a temporary code that you
> have to enter. Or they can text you the code, if you don't have a phone
> that'll run the app. The code is only good for a very short period, like
> 20-30 seconds. In Google's case, it's in addition to a password. You don't
> have to enter the code every time on a given device, but you do every so
> often (maybe once a month). You always have to enter it the first time on a
> new device. When you set this up for your Google account, they also give
> you a list of long, one-time-use passwords to print and keep in your
> (physical) wallet or some secure location. You can use them in case the
> 2-factor system is down or you don't have your phone. This is similar to
> the key-fob Security Tokens that have been out for more than a decade,
> except you don't have to buy/carry a separate device, and you don't have to
> replace it when your encryption gets hacked, like RSA's SecurID was. Just
> send out an app update.
>
> I'd like to be able to set up different rules for different systems, like
> require code every time on the external interface to the firewall. Or
> always require it if you're logging in from a new IP address for a given
> user.
>
> Scott
> ------------------------------
> *From: *"David Tomaschik" <david at systemoverlord.com>
> *To: *"Mike Harrison" <cluon at geeklabs.com>
> *Cc: *"Atlanta Linux Enthusiasts" <ale at ale.org>
> *Sent: *Friday, December 28, 2012 1:17:04 PM
> *Subject: *Re: [ale] OpenSSH RequiredAuthentications2 publickey,password
>
>
> Some googling around the option name (RequiredAuthentications2) suggests
> that it is only in RH's patched version of OpenSSH, however a patch based
> on that should be included in OpenSSH 6.2.  I look forward to that -- SSH
> keys are NOT 2-factor, despite what many people may say.  There's no way to
> force someone to have an encrypted key, so the passphrase is not a 2nd
> factor.  I'd like to see SSH key + pw become the standard.
>
>
> On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <cluon at geeklabs.com> wrote:
>
>> David:
>>
>>> I'm not aware of any way to configure OpenSSH to ask for multiple
>>> authentication factors.  You can fudge it with PAM (password + otp, for
>>> example) but not with anything involving public
>>> keys.  (Unless something has changed since I looked ~1 year ago at my
>>> last job.)
>>>
>>
>> Good disclaimer, :)  Best example I found is listed below,
>> and while it's new to OpenSSH, it's been around in other versions (
>> ssh.com) Look like two factor auth has been added to OpenSSH in certain
>> versions.  It does not work on my Bodhi Linux system. (OpenSSH_5.9p1
>> Debian-5ubuntu1)
>>
>> It also does not show up in the official docs:
>> http://www.openbsd.org/cgi-**bin/man.cgi?query=sshd_config&**sektion=5<http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5>
>>
>> I've got a Redhat system I can test in the office... and will do when I
>> can....
>>
>>
>> ------------------------------**-------------------------
>>
>> https://bugzilla.redhat.com/**show_bug.cgi?id=657378<https://bugzilla.redhat.com/show_bug.cgi?id=657378>
>>
>> Fixed In Version:       openssh-5.3p1-80.el6
>> Doc Type:       Enhancement
>> Doc Text:
>> Multiple required methods of authentications for sshd SSH can now be set
>> up to require multiple ways of authentication (whereas previously SSH
>> allowed multiple ways of authentication of which only one was required for
>> a successful login); for example, logging in to an SSH-enabled machine
>> requires both a passphrase and a public key to be entered. The
>> RequiredAuthentications1 and RequiredAuthentications2 options can be
>> configured in the /etc/ssh/sshd_config file to specify authentications that
>> are required for a successful log in. For example: ~]# echo
>> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For
>> more information on the aforementioned /etc/ssh/sshd_config options, refer
>> to the sshd_config man page.
>>
>>
>>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/ebb6bf62/attachment-0001.html>


More information about the Ale mailing list