<div dir="ltr">On Fri, Dec 28, 2012 at 4:11 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In days past I looked a generating a script that runs ssh-add on user<br>
keys. Any keys that add to ssh-agent without password request will get<br>
edited to include a '!' as the first character of the key. An email is<br>
generated that informs the (l)user of the security requirements and<br>
what was changed. Second offense deletes the key.<br></blockquote><div><br></div><div style>While that sounds great, it assumes you have control over the client machine. That's not a valid assumption in a lot of cases.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div class="h5"><br>
On Fri, Dec 28, 2012 at 1:17 PM, David Tomaschik<br>
<<a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a>> wrote:<br>
> Some googling around the option name (RequiredAuthentications2) suggests<br>
> that it is only in RH's patched version of OpenSSH, however a patch based on<br>
> that should be included in OpenSSH 6.2. I look forward to that -- SSH keys<br>
> are NOT 2-factor, despite what many people may say. There's no way to force<br>
> someone to have an encrypted key, so the passphrase is not a 2nd factor.<br>
> I'd like to see SSH key + pw become the standard.<br>
><br>
><br>
> On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <<a href="mailto:cluon@geeklabs.com">cluon@geeklabs.com</a>> wrote:<br>
>><br>
>> David:<br>
>>><br>
>>> I'm not aware of any way to configure OpenSSH to ask for multiple<br>
>>> authentication factors. You can fudge it with PAM (password + otp, for<br>
>>> example) but not with anything involving public<br>
>>> keys. (Unless something has changed since I looked ~1 year ago at my<br>
>>> last job.)<br>
>><br>
>><br>
>> Good disclaimer, :) Best example I found is listed below,<br>
>> and while it's new to OpenSSH, it's been around in other versions<br>
>> (<a href="http://ssh.com" target="_blank">ssh.com</a>) Look like two factor auth has been added to OpenSSH in certain<br>
>> versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1<br>
>> Debian-5ubuntu1)<br>
>><br>
>> It also does not show up in the official docs:<br>
>> <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5" target="_blank">http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5</a><br>
>><br>
>> I've got a Redhat system I can test in the office... and will do when I<br>
>> can....<br>
>><br>
>><br>
>> -------------------------------------------------------<br>
>><br>
>> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=657378" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=657378</a><br>
>><br>
>> Fixed In Version: openssh-5.3p1-80.el6<br>
>> Doc Type: Enhancement<br>
>> Doc Text:<br>
>> Multiple required methods of authentications for sshd SSH can now be set<br>
>> up to require multiple ways of authentication (whereas previously SSH<br>
>> allowed multiple ways of authentication of which only one was required for a<br>
>> successful login); for example, logging in to an SSH-enabled machine<br>
>> requires both a passphrase and a public key to be entered. The<br>
>> RequiredAuthentications1 and RequiredAuthentications2 options can be<br>
>> configured in the /etc/ssh/sshd_config file to specify authentications that<br>
>> are required for a successful log in. For example: ~]# echo<br>
>> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For<br>
>> more information on the aforementioned /etc/ssh/sshd_config options, refer<br>
>> to the sshd_config man page.<br>
>><br>
>><br>
><br>
><br>
><br>
> --<br>
> David Tomaschik<br>
> OpenPGP: 0x5DEA789B<br>
> <a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br>
> <a href="mailto:david@systemoverlord.com">david@systemoverlord.com</a><br>
><br>
</div></div><div class="im">> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
<br>
<br>
--<br>
</div>--<br>
James P. Kinney III<br>
<br>
Every time you stop a school, you will have to build a jail. What you<br>
gain at one end you lose at the other. It's like feeding a dog on his<br>
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br>
<br>
<a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br>
<a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>