<div dir="ltr"><div style>Key + Phone Token doesn't add as much as Key + Password. With Key + Phone token, if I break into your hotel room and you've left your phone and laptop, you're done.<br><br></div><div style>
That being said, the Google Authenticator app is just an implementation of RFC 6238 TOTP -- and there's a PAM module available: <a href="https://code.google.com/p/google-authenticator/">https://code.google.com/p/google-authenticator/</a></div>
<div style><br></div><div style>So, with current OpenSSH, you can do password + otp via PAM.</div><div style><br></div><div style>(Since we're discussing a Google product, the ysual disclaimer about this being my opinion only, not speaking on behalf of my employer, etc. applies.)</div>
<div style><br></div><div style>David</div><div style><br></div><div><br></div>On Fri, Dec 28, 2012 at 11:06 AM, Scott Plante <span dir="ltr"><<a href="mailto:splante@insightsys.com" target="_blank">splante@insightsys.com</a>></span> wrote:<br>
<div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif">
Rather than a password, I'd like to see something like what Google does. They have an app on your phone that generates a temporary code that you have to enter. Or they can text you the code, if you don't have a phone that'll run the app. The code is only good for a very short period, like 20-30 seconds. In Google's case, it's in addition to a password. You don't have to enter the code every time on a given device, but you do every so often (maybe once a month). You always have to enter it the first time on a new device. When you set this up for your Google account, they also give you a list of long, one-time-use passwords to print and keep in your (physical) wallet or some secure location. You can use them in case the 2-factor system is down or you don't have your phone. This is similar to the key-fob Security Tokens that have been out for more than a decade, except you don't have to buy/carry a separate device, and you don't have to replace it when your encryption gets hacked, like RSA's SecurID was. Just send out an app update.<div>
<br></div><div>I'd like to be able to set up different rules for different systems, like require code every time on the external interface to the firewall. Or always require it if you're logging in from a new IP address for a given user.<br>
<br>Scott<br><hr><div style="font-size:12pt;font-style:normal;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal"><b>From: </b>"David Tomaschik" <<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>><br>
<b>To: </b>"Mike Harrison" <<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>><br><b>Cc: </b>"Atlanta Linux Enthusiasts" <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>><br>
<b>Sent: </b>Friday, December 28, 2012 1:17:04 PM<br><b>Subject: </b>Re: [ale] OpenSSH RequiredAuthentications2 publickey,password<div><div class="h5"><br><br><div dir="ltr">Some googling around the option name (RequiredAuthentications2) suggests that it is only in RH's patched version of OpenSSH, however a patch based on that should be included in OpenSSH 6.2. I look forward to that -- SSH keys are NOT 2-factor, despite what many people may say. There's no way to force someone to have an encrypted key, so the passphrase is not a 2nd factor. I'd like to see SSH key + pw become the standard.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <span dir="ltr"><<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">David:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I'm not aware of any way to configure OpenSSH to ask for multiple authentication factors. You can fudge it with PAM (password + otp, for example) but not with anything involving public<br>
keys. (Unless something has changed since I looked ~1 year ago at my last job.)<br>
</blockquote>
<br>
Good disclaimer, :) Best example I found is listed below,<br>
and while it's new to OpenSSH, it's been around in other versions (<a href="http://ssh.com" target="_blank">ssh.com</a>) Look like two factor auth has been added to OpenSSH in certain versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1 Debian-5ubuntu1)<br>
<br>
It also does not show up in the official docs:<br>
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5" target="_blank">http://www.openbsd.org/cgi-<u></u>bin/man.cgi?query=sshd_config&<u></u>sektion=5</a><br>
<br>
I've got a Redhat system I can test in the office... and will do when I can....<br>
<br>
<br>
------------------------------<u></u>-------------------------<br>
<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=657378" target="_blank">https://bugzilla.redhat.com/<u></u>show_bug.cgi?id=657378</a><br>
<br>
Fixed In Version: openssh-5.3p1-80.el6<br>
Doc Type: Enhancement<br>
Doc Text:<br>
Multiple required methods of authentications for sshd SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful log in. For example: ~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page.<br>
<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div>
<br></div></div>_______________________________________________<br>Ale mailing list<br><a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br><a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br><a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br></div><br></div></div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>