[ale] OpenSSH RequiredAuthentications2 publickey,password

Scott Plante splante at insightsys.com
Fri Dec 28 14:06:12 EST 2012


Rather than a password, I'd like to see something like what Google does. They have an app on your phone that generates a temporary code that you have to enter. Or they can text you the code, if you don't have a phone that'll run the app. The code is only good for a very short period, like 20-30 seconds. In Google's case, it's in addition to a password. You don't have to enter the code every time on a given device, but you do every so often (maybe once a month). You always have to enter it the first time on a new device. When you set this up for your Google account, they also give you a list of long, one-time-use passwords to print and keep in your (physical) wallet or some secure location. You can use them in case the 2-factor system is down or you don't have your phone. This is similar to the key-fob Security Tokens that have been out for more than a decade, except you don't have to buy/carry a separate device, and you don't have to replace it when your encryption gets hacked, like RSA's SecurID was. Just send out an app update. 


I'd like to be able to set up different rules for different systems, like require code every time on the external interface to the firewall. Or always require it if you're logging in from a new IP address for a given user. 

Scott 
----- Original Message -----

From: "David Tomaschik" <david at systemoverlord.com> 
To: "Mike Harrison" <cluon at geeklabs.com> 
Cc: "Atlanta Linux Enthusiasts" <ale at ale.org> 
Sent: Friday, December 28, 2012 1:17:04 PM 
Subject: Re: [ale] OpenSSH RequiredAuthentications2 publickey,password 


Some googling around the option name (RequiredAuthentications2) suggests that it is only in RH's patched version of OpenSSH, however a patch based on that should be included in OpenSSH 6.2. I look forward to that -- SSH keys are NOT 2-factor, despite what many people may say. There's no way to force someone to have an encrypted key, so the passphrase is not a 2nd factor. I'd like to see SSH key + pw become the standard. 



On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison < cluon at geeklabs.com > wrote: 


David: 

<blockquote>
I'm not aware of any way to configure OpenSSH to ask for multiple authentication factors. You can fudge it with PAM (password + otp, for example) but not with anything involving public 
keys. (Unless something has changed since I looked ~1 year ago at my last job.) 



Good disclaimer, :) Best example I found is listed below, 
and while it's new to OpenSSH, it's been around in other versions ( ssh.com ) Look like two factor auth has been added to OpenSSH in certain versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1 Debian-5ubuntu1) 

It also does not show up in the official docs: 
http://www.openbsd.org/cgi- bin/man.cgi?query=sshd_config& sektion=5 

I've got a Redhat system I can test in the office... and will do when I can.... 


------------------------------ ------------------------- 

https://bugzilla.redhat.com/ show_bug.cgi?id=657378 

Fixed In Version: openssh-5.3p1-80.el6 
Doc Type: Enhancement 
Doc Text: 
Multiple required methods of authentications for sshd SSH can now be set up to require multiple ways of authentication (whereas previously SSH allowed multiple ways of authentication of which only one was required for a successful login); for example, logging in to an SSH-enabled machine requires both a passphrase and a public key to be entered. The RequiredAuthentications1 and RequiredAuthentications2 options can be configured in the /etc/ssh/sshd_config file to specify authentications that are required for a successful log in. For example: ~]# echo "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For more information on the aforementioned /etc/ssh/sshd_config options, refer to the sshd_config man page. 



</blockquote>




-- 
David Tomaschik 
OpenPGP: 0x5DEA789B 
http://systemoverlord.com 
david at systemoverlord.com 
_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/a59500e3/attachment.html>


More information about the Ale mailing list