[PLUG] Google Authenticator / SSH

Rich Freeman on 28 Oct 2014 12:06:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Google Authenticator / SSH

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: [PLUG] Google Authenticator / SSH
Date: Tue, 28 Oct 2014 15:06:35 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=RjTukt7vvl5TskEL14MtYveWwtCnxt5mQCd3sY3DYgw=; b=sUItkOzZrIH5hl4Vwo2XAS7Qaf4pHQZThhCOhTFgvnSTpbc+7M5sFV0gPI7AVFTQFA Rd6ef0wbJ1228ax7SCRYkoq1ohmMBTNcuD3eqwA0C59WdvF5Mm+AtXUai7EAqqMTGS3u lD/TemaDvgqmJj6xeVYQXM4hKeHeb1OSyGiW9fCCZo/poaqhPNjVRs+sa9MIcZfEEt+l 9dL7irB7qrJXZYhLjW2kJcf0XPgLpk9G3LYRA0t5w62K+pdfITwOvop0iYzAKMJmjBew yO+DiLzm/58HMQbNPvb1b4Udr47Dj91ofJ+/5aiHM2VBpJ4JCmZvHOTla6yJ8PYH/Qkr 6C4A==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

I was chatting on IRC and mentioned that I use Google Authenticator
for ssh connections (anytime I use a password - I bypass it for RSA).

This is incredibly easy to set up - I'd strongly recommend it for
anybody. This is a decent guide:
http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

You could even use it for console logins if you are really paranoid,
but if you do that you might want to make sure you have a way around
it if you lose your phone.

I set this up, and then I stopped worrying about fail2ban for ssh.

The other thing I usually do with PAM is add a line like this to
various services:
system-remote-login:
auth required pam_listfile.so onerr=fail
item=user sense=allow file=/etc/ssh/ssh_allow.pamlist

I have this set up for services like smtp, pop3, imap, and ssh.

The file it references is just a text file with a list of users.
Anybody not on the list can't login via the specified service. This
just greatly limits the attack surface in general.

Between the two I'm really not concerned with ssh brute force attacks.
They need to get past PAM throttling, the account password, google
authenticator attempt throttling, and the time-based OTP token (a
six-digit number valid for 30 seconds). Either that or they need an
RSA key, which obviously isn't going to get brute forced. A failed
attempt gives no information as to what component of the
authentication failed.

The only downside is that when I'm doing clonezilla backups at home I
have to carry my smartphone around from PC to PC just to log in. :)
I'm sure there is some clever way with PAM to exempt local connections
to a specific account.

The next step is to get all of that working with a U2F token if they
ever extend the protocol to something other than javascript and a USB
connection.

If we ever do 15 minute talks I'd be happy to toss together a few
slides and do a demo. This one might even fit into a lightning talk.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Google Authenticator / SSH
  - From: Eugene Smiley <eug.smiley@gmail.com>

Prev by Date: Re: [PLUG] Delete KDE Activity Manager Icon from the Panel
Next by Date: [PLUG] Central PA Open Source Conference this Sat in Lancaster
Previous by thread: Re: [PLUG] Delete KDE Activity Manager Icon from the Panel
Next by thread: Re: [PLUG] Google Authenticator / SSH
Index(es):
- Date
- Thread