[ale] OpenSSH RequiredAuthentications2 publickey,password

David Tomaschik david at systemoverlord.com
Sat Dec 29 02:21:00 EST 2012


On Fri, Dec 28, 2012 at 4:11 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> In days past I looked a generating a script that runs ssh-add on user
> keys. Any keys that add to ssh-agent without password request will get
> edited to include a '!' as the first character of the key. An email is
> generated that informs the (l)user of the security requirements and
> what was changed. Second offense deletes the key.
>

While that sounds great, it assumes you have control over the client
machine.  That's not a valid assumption in a lot of cases.



>
> On Fri, Dec 28, 2012 at 1:17 PM, David Tomaschik
> <david at systemoverlord.com> wrote:
> > Some googling around the option name (RequiredAuthentications2) suggests
> > that it is only in RH's patched version of OpenSSH, however a patch
> based on
> > that should be included in OpenSSH 6.2.  I look forward to that -- SSH
> keys
> > are NOT 2-factor, despite what many people may say.  There's no way to
> force
> > someone to have an encrypted key, so the passphrase is not a 2nd factor.
> > I'd like to see SSH key + pw become the standard.
> >
> >
> > On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <cluon at geeklabs.com>
> wrote:
> >>
> >> David:
> >>>
> >>> I'm not aware of any way to configure OpenSSH to ask for multiple
> >>> authentication factors.  You can fudge it with PAM (password + otp, for
> >>> example) but not with anything involving public
> >>> keys.  (Unless something has changed since I looked ~1 year ago at my
> >>> last job.)
> >>
> >>
> >> Good disclaimer, :)  Best example I found is listed below,
> >> and while it's new to OpenSSH, it's been around in other versions
> >> (ssh.com) Look like two factor auth has been added to OpenSSH in
> certain
> >> versions.  It does not work on my Bodhi Linux system. (OpenSSH_5.9p1
> >> Debian-5ubuntu1)
> >>
> >> It also does not show up in the official docs:
> >> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
> >>
> >> I've got a Redhat system I can test in the office... and will do when I
> >> can....
> >>
> >>
> >> -------------------------------------------------------
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=657378
> >>
> >> Fixed In Version:       openssh-5.3p1-80.el6
> >> Doc Type:       Enhancement
> >> Doc Text:
> >> Multiple required methods of authentications for sshd SSH can now be set
> >> up to require multiple ways of authentication (whereas previously SSH
> >> allowed multiple ways of authentication of which only one was required
> for a
> >> successful login); for example, logging in to an SSH-enabled machine
> >> requires both a passphrase and a public key to be entered. The
> >> RequiredAuthentications1 and RequiredAuthentications2 options can be
> >> configured in the /etc/ssh/sshd_config file to specify authentications
> that
> >> are required for a successful log in. For example: ~]# echo
> >> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config
> For
> >> more information on the aforementioned /etc/ssh/sshd_config options,
> refer
> >> to the sshd_config man page.
> >>
> >>
> >
> >
> >
> > --
> > David Tomaschik
> > OpenPGP: 0x5DEA789B
> > http://systemoverlord.com
> > david at systemoverlord.com
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
>
> --
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his
> own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/56002e2c/attachment.html>


More information about the Ale mailing list