[ale] OpenSSH RequiredAuthentications2 publickey,password

Scott Plante splante at insightsys.com
Fri Dec 28 15:10:16 EST 2012 

True, kinda. I do maintain a lock code on my phone so you'd still have to get past that, and while I might leave my laptop or tablet in my room, it's extremely rare for me to leave my phone. 


Also, I get that in certain ways the phone token is less secure than the password. Certainly I don't want to look up a phone token every time I do an SSH connection. In my case, I'm worried about me and a couple of other people using ssh, so I can enforce the use of a passphrase with SSH. I realize that an admin with lots of ssh users can't really enforce that. Of course, in other ways, the phone token can be more secure than the password, because you do actually have to get possession of my phone or list of single use codes. It eliminates a number of different password attacks. 


Thanks for the link and info. I kinda knew it was possible, but I've been trying to find the time to search for some kind of how-to for setting all that up. Also, my firewall is pfSense so I need BSD support on that side. Just one of many projects on the list. 


Scott 

----- Original Message -----

From: "David Tomaschik" <david at systemoverlord.com> 
To: "Atlanta Linux Enthusiasts" <ale at ale.org> 
Sent: Friday, December 28, 2012 2:20:12 PM 
Subject: Re: [ale] OpenSSH RequiredAuthentications2 publickey,password 



Key + Phone Token doesn't add as much as Key + Password. With Key + Phone token, if I break into your hotel room and you've left your phone and laptop, you're done. 


That being said, the Google Authenticator app is just an implementation of RFC 6238 TOTP -- and there's a PAM module available: https://code.google.com/p/google-authenticator/ 


So, with current OpenSSH, you can do password + otp via PAM. 


(Since we're discussing a Google product, the ysual disclaimer about this being my opinion only, not speaking on behalf of my employer, etc. applies.) 


David 



On Fri, Dec 28, 2012 at 11:06 AM, Scott Plante < splante at insightsys.com > wrote: 






Rather than a password, I'd like to see something like what Google does. They have an app on your phone that generates a temporary code that you have to enter. Or they can text you the code, if you don't have a phone that'll run the app. The code is only good for a very short period, like 20-30 seconds. In Google's case, it's in addition to a password. You don't have to enter the code every time on a given device, but you do every so often (maybe once a month). You always have to enter it the first time on a new device. When you set this up for your Google account, they also give you a list of long, one-time-use passwords to print and keep in your (physical) wallet or some secure location. You can use them in case the 2-factor system is down or you don't have your phone. This is similar to the key-fob Security Tokens that have been out for more than a decade, except you don't have to buy/carry a separate device, and you don't have to replace it when your encryption gets hacked, like RSA's SecurID was. Just send out an app update. 


I'd like to be able to set up different rules for different systems, like require code every time on the external interface to the firewall. Or always require it if you're logging in from a new IP address for a given user. 

Scott 


From: "David Tomaschik" < david at systemoverlord.com > 
To: "Mike Harrison" < cluon at geeklabs.com > 
Cc: "Atlanta Linux Enthusiasts" < ale at ale.org > 
Sent: Friday, December 28, 2012 1:17:04 PM 
Subject: Re: [ale] OpenSSH RequiredAuthentications2 publickey,password 




Some googling around the option name (RequiredAuthentications2) suggests that it is only in RH's patched version of OpenSSH, however a patch based on that should be included in OpenSSH 6.2. I look forward to that -- SSH keys are NOT 2-factor, despite what many people may say. There's no way to force someone to have an encrypted key, so the passphrase is not a 2nd factor. I'd like to see SSH key + pw become the standard. 



On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison < cluon at geeklabs.com > wrote: 

<blockquote>
David: 

<blockquote>
I'm not aware of any way to configure OpenSSH to ask for multiple authentication factors. You can fudge it with PAM (password + otp, for example) but not with anything involving public 
keys. (Unless something has changed since I looked ~1 year ago at my last job.) 



Good disclaimer, :) Best example I found is listed below, 
and while it's new to OpenSSH, it's been around in other versions ( ssh.com ) Look like two factor auth has been added to OpenSSH in certain versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1 Debian-5ubuntu1) 

It also does not show up in the official docs: 
http://www.openbsd.org/cgi- bin/man.cgi?query=sshd_config& sektion=5 

I've got a Redhat system I can test in the office... and will do when I can.... 


------------------------------ ------------------------- 

https://bugzilla.redhat.com/ show_bug.cgi?id=657378 

Fixed In Version: openssh-5.3p1-80.el6 
Doc Type: Enhancement 
Doc Text: 
Multiple required methods of authentications for sshd SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful log in. For example: ~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page. 



</blockquote>




-- 
David Tomaschik 
OpenPGP: 0x5DEA789B 
http://systemoverlord.com 
david at systemoverlord.com 
_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 


_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 


</blockquote>




-- 
David Tomaschik 
OpenPGP: 0x5DEA789B 
http://systemoverlord.com 
david at systemoverlord.com 
_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/d08b6425/attachment.html>

More information about the Ale mailing list