[ale] OpenSSH RequiredAuthentications2 publickey,password
Jim Kinney
jim.kinney at gmail.com
Sat Dec 29 09:56:24 EST 2012
On Sat, Dec 29, 2012 at 2:21 AM, David Tomaschik
<david at systemoverlord.com> wrote:
> On Fri, Dec 28, 2012 at 4:11 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>>
>> In days past I looked a generating a script that runs ssh-add on user
>> keys. Any keys that add to ssh-agent without password request will get
>> edited to include a '!' as the first character of the key. An email is
>> generated that informs the (l)user of the security requirements and
>> what was changed. Second offense deletes the key.
>
>
> While that sounds great, it assumes you have control over the client
> machine. That's not a valid assumption in a lot of cases.
True. As the remote end was under my control, I could require
connections from known users in a controlled environment.
Maybe the ssh connection protocol needs a flag on key use that
indicates whether the key uses a secondary auth method, password, CAC
card, etc.
>
>
>>
>>
>> On Fri, Dec 28, 2012 at 1:17 PM, David Tomaschik
>> <david at systemoverlord.com> wrote:
>> > Some googling around the option name (RequiredAuthentications2) suggests
>> > that it is only in RH's patched version of OpenSSH, however a patch
>> > based on
>> > that should be included in OpenSSH 6.2. I look forward to that -- SSH
>> > keys
>> > are NOT 2-factor, despite what many people may say. There's no way to
>> > force
>> > someone to have an encrypted key, so the passphrase is not a 2nd factor.
>> > I'd like to see SSH key + pw become the standard.
>> >
>> >
>> > On Thu, Dec 27, 2012 at 4:39 PM, Mike Harrison <cluon at geeklabs.com>
>> > wrote:
>> >>
>> >> David:
>> >>>
>> >>> I'm not aware of any way to configure OpenSSH to ask for multiple
>> >>> authentication factors. You can fudge it with PAM (password + otp,
>> >>> for
>> >>> example) but not with anything involving public
>> >>> keys. (Unless something has changed since I looked ~1 year ago at my
>> >>> last job.)
>> >>
>> >>
>> >> Good disclaimer, :) Best example I found is listed below,
>> >> and while it's new to OpenSSH, it's been around in other versions
>> >> (ssh.com) Look like two factor auth has been added to OpenSSH in
>> >> certain
>> >> versions. It does not work on my Bodhi Linux system. (OpenSSH_5.9p1
>> >> Debian-5ubuntu1)
>> >>
>> >> It also does not show up in the official docs:
>> >> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>> >>
>> >> I've got a Redhat system I can test in the office... and will do when I
>> >> can....
>> >>
>> >>
>> >> -------------------------------------------------------
>> >>
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=657378
>> >>
>> >> Fixed In Version: openssh-5.3p1-80.el6
>> >> Doc Type: Enhancement
>> >> Doc Text:
>> >> Multiple required methods of authentications for sshd SSH can now be
>> >> set
>> >> up to require multiple ways of authentication (whereas previously SSH
>> >> allowed multiple ways of authentication of which only one was required
>> >> for a
>> >> successful login); for example, logging in to an SSH-enabled machine
>> >> requires both a passphrase and a public key to be entered. The
>> >> RequiredAuthentications1 and RequiredAuthentications2 options can be
>> >> configured in the /etc/ssh/sshd_config file to specify authentications
>> >> that
>> >> are required for a successful log in. For example: ~]# echo
>> >> "RequiredAuthentications2 publickey,password" >> /etc/ssh/sshd_config
>> >> For
>> >> more information on the aforementioned /etc/ssh/sshd_config options,
>> >> refer
>> >> to the sshd_config man page.
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > David Tomaschik
>> > OpenPGP: 0x5DEA789B
>> > http://systemoverlord.com
>> > david at systemoverlord.com
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>> Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his
>> own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>>
>> http://electjimkinney.org
>> http://heretothereideas.blogspot.com/
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://electjimkinney.org
http://heretothereideas.blogspot.com/
More information about the Ale
mailing list