[ale] OpenSSH RequiredAuthentications2 publickey,password

David Tomaschik david at systemoverlord.com
Sat Dec 29 02:24:55 EST 2012


On Fri, Dec 28, 2012 at 2:54 PM, Scott Plante <splante at insightsys.com>wrote:

> Actually, as I ponder a bit more, I have to agree with you David. My other
> points not withstanding, an SSH key is about "having" something, and a
> password is about "knowing" something. So ssh key+password is
> having+knowing. I'm still interested in the security token thing for some
> applications, but it's also about "having" something, so ssh key+token is
> really just having+having. They're potentially different things that you
> have and that might offer some advantages, but having+knowing is better.
>
> Scott
>
>
Thinking some more, it occurs to me that PW+otp is probably slightly more
secure than PW+key, but at the expense of always needing your OTP generator
(so, phone with dead battery could be a problem).  It's theoretically
possible to capture the unencrypted SSH key out of memory (or get it from
disk for someone who doesn't use a passphrase -- and if you have that
access, keylog the password).  With OTP, while you can keylog one entry of
the OTP, that will only be valid for ~1 minute.

Hrrm, SSH key + otp + password?  Overkill?  Probably...



> ------------------------------
> *From: *"Scott Plante" <splante at insightsys.com>
>
> *To: *"Atlanta Linux Enthusiasts" <ale at ale.org>
> *Sent: *Friday, December 28, 2012 3:10:16 PM
>
> *Subject: *Re: [ale] OpenSSH RequiredAuthentications2 publickey,password
>
> True, kinda. I do maintain a lock code on my phone so you'd still have to
> get past that, and while I might leave my laptop or tablet in my room, it's
> extremely rare for me to leave my phone.
>
> Also, I get that in certain ways the phone token is less secure than the
> password. Certainly I don't want to look up a phone token every time I do
> an SSH connection. In my case, I'm worried about me and a couple of other
> people using ssh, so I can enforce the use of a passphrase with SSH. I
> realize that an admin with lots of ssh users can't really enforce that. Of
> course, in other ways, the phone token can be more secure than the
> password, because you do actually have to get possession of my phone or
> list of single use codes. It eliminates a number of different password
> attacks.
>
> Thanks for the link and info. I kinda knew it was possible, but I've been
> trying to find the time to search for some kind of how-to for setting all
> that up. Also, my firewall is pfSense so I need BSD support on that side.
> Just one of many projects on the list.
>
> Scott
>
> ------------------------------
> *From: *"David Tomaschik" <david at systemoverlord.com>
> *To: *"Atlanta Linux Enthusiasts" <ale at ale.org>
> *Sent: *Friday, December 28, 2012 2:20:12 PM
> *Subject: *Re: [ale] OpenSSH RequiredAuthentications2 publickey,password
>
> Key + Phone Token doesn't add as much as Key + Password.  With Key + Phone
> token, if I break into your hotel room and you've left your phone and
> laptop, you're done.
>
> That being said, the Google Authenticator app is just an implementation of
> RFC 6238 TOTP -- and there's a PAM module available:
> https://code.google.com/p/google-authenticator/
>
> So, with current OpenSSH, you can do password + otp via PAM.
>
> (Since we're discussing a Google product, the ysual disclaimer about this
> being my opinion only, not speaking on behalf of my employer, etc. applies.)
>
> David
>
>
> On Fri, Dec 28, 2012 at 11:06 AM, Scott Plante <splante at insightsys.com>wrote:
>
>> Rather than a password, I'd like to see something like what Google does.
>> They have an app on your phone that generates a temporary code that you
>> have to enter. Or they can text you the code, if you don't have a phone
>> that'll run the app. The code is only good for a very short period, like
>> 20-30 seconds. In Google's case, it's in addition to a password. You don't
>> have to enter the code every time on a given device, but you do every so
>> often (maybe once a month). You always have to enter it the first time on a
>> new device. When you set this up for your Google account, they also give
>> you a list of long, one-time-use passwords to print and keep in your
>> (physical) wallet or some secure location. You can use them in case the
>> 2-factor system is down or you don't have your phone. This is similar to
>> the key-fob Security Tokens that have been out for more than a decade,
>> except you don't have to buy/carry a separate device, and you don't have to
>> replace it when your encryption gets hacked, like RSA's SecurID was. Just
>> send out an app update.
>>
>> I'd like to be able to set up different rules for different systems, like
>> require code every time on the external interface to the firewall. Or
>> always require it if you're logging in from a new IP address for a given
>> user.
>>
>> Scott
>> ------------------------------
>> *From: *"David Tomaschik" <david at systemoverlord.com>
>> *To: *"Mike Harrison" <cluon at geeklabs.com>
>> *Cc: *"Atlanta Linux Enthusiasts" <ale at ale.org>
>> *Sent: *Friday, December 28, 2012 1:17:04 PM
>> *Subject: *Re: [ale] OpenSSH RequiredAuthentications2 publickey,password
>>
>>
>> Some googling around the option name (RequiredAuthentications2) suggests
>> that it is only in RH's patched version of OpenSSH, however a patch based
>> on that should be included in OpenSSH 6.2.  I look forward to that -- SSH
>> keys are NOT 2-factor, despite what many people may say.  There's no way to
>> force someone to have an encrypted key, so the passphrase is not a 2nd
>> factor.  I'd like to see SSH key + pw become the standard.
>>
>>
>> On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <cluon at geeklabs.com>wrote:
>>
>>> David:
>>>
>>>> I'm not aware of any way to configure OpenSSH to ask for multiple
>>>> authentication factors.  You can fudge it with PAM (password + otp, for
>>>> example) but not with anything involving public
>>>> keys.  (Unless something has changed since I looked ~1 year ago at my
>>>> last job.)
>>>>
>>>
>>> Good disclaimer, :)  Best example I found is listed below,
>>> and while it's new to OpenSSH, it's been around in other versions (
>>> ssh.com) Look like two factor auth has been added to OpenSSH in certain
>>> versions.  It does not work on my Bodhi Linux system. (OpenSSH_5.9p1
>>> Debian-5ubuntu1)
>>>
>>> It also does not show up in the official docs:
>>> http://www.openbsd.org/cgi-**bin/man.cgi?query=sshd_config&**sektion=5<http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5>
>>>
>>> I've got a Redhat system I can test in the office... and will do when I
>>> can....
>>>
>>>
>>> ------------------------------**-------------------------
>>>
>>> https://bugzilla.redhat.com/**show_bug.cgi?id=657378<https://bugzilla.redhat.com/show_bug.cgi?id=657378>
>>>
>>> Fixed In Version:       openssh-5.3p1-80.el6
>>> Doc Type:       Enhancement
>>> Doc Text:
>>> Multiple required methods of authentications for sshd SSH can now be set
>>> up to require multiple ways of authentication (whereas previously SSH
>>> allowed multiple ways of authentication of which only one was required for
>>> a successful login); for example, logging in to an SSH-enabled machine
>>> requires both a passphrase and a public key to be entered. The
>>> RequiredAuthentications1 and RequiredAuthentications2 options can be
>>> configured in the /etc/ssh/sshd_config file to specify authentications that
>>> are required for a successful log in. For example: ~]# echo
>>> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config For
>>> more information on the aforementioned /etc/ssh/sshd_config options, refer
>>> to the sshd_config man page.
>>>
>>>
>>>
>>
>>
>> --
>> David Tomaschik
>> OpenPGP: 0x5DEA789B
>> http://systemoverlord.com
>> david at systemoverlord.com
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121228/1c3dd03f/attachment-0001.html>


More information about the Ale mailing list