Re: [PLUG] Two Factor Authentication

Rich Freeman on 18 Aug 2012 04:40:45 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Two Factor Authentication

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Two Factor Authentication
Date: Sat, 18 Aug 2012 07:40:39 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=udIREbPS9a1FPofd64LbafiA58AVxmqVAiBtYV3RbK8=; b=EBM8T6Cwa9zJmMJ9I14ySKDCGZiBKgIIs31Xja9s8OYqALt7afVHITpzxbKX7e5b3M HPnV93BrCbn+oeAtNW0fFk3D9vEFZD7lAtODrkia18Z2kV5iEqjGydSc82MUCWWJgzdu f11pIIGzJPS6Inq1uSIBj7w+f13HoxfUN5ItPTDjLHuuT0PL47Dks+RhSWly2r+wtg7x HkA9JNsTqGGVDxDz49pOn8671totSmUk8poAngLvLprPSx5StYtzOCEvMTd/4jdjdHoh yn1GtHrlhevDdcMleHgpynb/Xn2Almhl5VuyFX90Vm/VMrzIignxYphcoGF6Q6p/FOm/ JYtQ==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org

On Tue, Aug 14, 2012 at 2:58 PM, Matt Mossholder <matt@mossholder.com> wrote:
> On Tue, Aug 14, 2012 at 2:49 PM, Art Clemons <artclemons@aol.com> wrote:
>>
>> I noticed the following on howtogeek.  I wonder how reliable Google's
>> setup is for what amounts to a really occasional connection.

I don't see how reliability is going to be a concern here - none of
this relies of Google's infrastructure to actually run.  This is a
time-based authentication code - once you have it set up it just runs
as long as your phone works.

>> Anyone know of
>> a better technique or of possible security holes.  I for example wonder
>> about the rate limiting authentication reliability or the emergency
>> authentication to allow authentication with no cell phone.
>>

I can't see how the rate-limit wouldn't work, but you could easily
test this.  It must store the last connection attempt info locally.
Again, this doesn't use Google infrastructure.

> Of particular note is the part about moving the seed file out of the user's
> directory, and removing the user's access to it.

Unless you're doing the same thing already with the authorized_keys
file I don't see how this is huge security improvement.  It probably
matters more for shared systems where administrators want to enforce
the use of two-factor, which I would guess is a target audience for
CentOS.

Using this for SSH is reminiscent of s/key, which tries to accomplish
something similar but it isn't time-based.  I imagine you could find
an s/key client for android/etc and use that in a similar manner.

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Two Factor Authentication
  - From: Art Clemons <artclemons@aol.com>
- Re: [PLUG] Two Factor Authentication
  - From: Matt Mossholder <matt@mossholder.com>

Prev by Date: [PLUG] Free vim vi book for Kindle
Next by Date: Re: [PLUG] Free vim vi book for Kindle
Previous by thread: Re: [PLUG] Two Factor Authentication
Next by thread: [PLUG] inotify
Index(es):
- Date
- Thread