[ale] OpenSSH RequiredAuthentications2 publickey,password

Jim Kinney jim.kinney at gmail.com
Fri Dec 28 19:11:30 EST 2012


In days past I looked a generating a script that runs ssh-add on user
keys. Any keys that add to ssh-agent without password request will get
edited to include a '!' as the first character of the key. An email is
generated that informs the (l)user of the security requirements and
what was changed. Second offense deletes the key.

On Fri, Dec 28, 2012 at 1:17 PM, David Tomaschik
<david at systemoverlord.com> wrote:
> Some googling around the option name (RequiredAuthentications2) suggests
> that it is only in RH's patched version of OpenSSH, however a patch based on
> that should be included in OpenSSH 6.2.  I look forward to that -- SSH keys
> are NOT 2-factor, despite what many people may say.  There's no way to force
> someone to have an encrypted key, so the passphrase is not a 2nd factor.
> I'd like to see SSH key + pw become the standard.
>
>
> On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <cluon at geeklabs.com> wrote:
>>
>> David:
>>>
>>> I'm not aware of any way to configure OpenSSH to ask for multiple
>>> authentication factors.  You can fudge it with PAM (password + otp, for
>>> example) but not with anything involving public
>>> keys.  (Unless something has changed since I looked ~1 year ago at my
>>> last job.)
>>
>>
>> Good disclaimer, :)  Best example I found is listed below,
>> and while it's new to OpenSSH, it's been around in other versions
>> (ssh.com) Look like two factor auth has been added to OpenSSH in certain
>> versions.  It does not work on my Bodhi Linux system. (OpenSSH_5.9p1
>> Debian-5ubuntu1)
>>
>> It also does not show up in the official docs:
>> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>>
>> I've got a Redhat system I can test in the office... and will do when I
>> can....
>>
>>
>> -------------------------------------------------------
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=657378
>>
>> Fixed In Version:       openssh-5.3p1-80.el6
>> Doc Type:       Enhancement
>> Doc Text:
>> Multiple required methods of authentications for sshd SSH can now be set
>> up to require multiple ways of authentication (whereas previously SSH
>> allowed multiple ways of authentication of which only one was required for a
>> successful login); for example, logging in to an SSH-enabled machine
>> requires both a passphrase and a public key to be entered. The
>> RequiredAuthentications1 and RequiredAuthentications2 options can be
>> configured in the /etc/ssh/sshd_config file to specify authentications that
>> are required for a successful log in. For example: ~]# echo
>> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For
>> more information on the aforementioned /etc/ssh/sshd_config options, refer
>> to the sshd_config man page.
>>
>>
>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
--
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://electjimkinney.org
http://heretothereideas.blogspot.com/


More information about the Ale mailing list