Re: [PLUG] SSH Hardening : Request for Best Practices

Rich Freeman on 26 Jul 2017 06:14:00 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] SSH Hardening : Request for Best Practices
Date: Wed, 26 Jul 2017 09:13:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=hIRPMiGDc9P70VXmHkcJXVzHE6N3JsKt0w40B2enNJA=; b=c3cAmORaT2DETCco0AAoEC1XqU56JqXkwvXw5brEcL+6sRWbUk+a+A0DbLVKkHKLUn Jpg2SfLrDgj7Bx/qniUcHBGq0bdeIxoQ58Gb6hJCzbctZAcIip55w2KN7b9qhESDLGsM cwjId33CfqfMhNphZGRhECxv7MzeHudDnV9HAGqkW76+PhhTOts5dsVNwpe0S6B4LiIE grYA5YxPr11sxMHlPINEAcdHAFcNurA4nbzXdeo48wFHp9h0KZ5od2p8S+ayeSLeVJd+ bS3bo6ETmMbSSG0b1Gdmf2NRwkQqLhIxpVbXWsGIzIBblxiiGecKcHHMx1WUrZ6MG4j0 sx6g==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Wed, Jul 26, 2017 at 9:07 AM, Louis K <louis.kratz@gmail.com> wrote:
> *  I'm considering adding two factor auth in addition to the ssh keys. Is
> this overkill? I think in that case the 2-factor-auth really only protects
> me against someone getting my key (i.e., stealing my laptop and sshing in),
> which I _think_ is unlikely.

You understand the threat model - I can't say whether it is overkill.
It is more than I do.

I gave a recent talk on 2FA, but the example configuration I used does
not require 2FA if using an SSH key.

I believe with modern versions of openssh you can require both using:

AuthenticationMethods publickey,keyboard-interactive

See also:
https://blog.compass-security.com/2013/07/openssh-enables-true-multi-factor-authentication/


-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Thomas Delrue <delrue.thomas@gmail.com>

References:
- [PLUG] SSH Hardening : Request for Best Practices
  - From: Louis K <louis.kratz@gmail.com>

Prev by Date: [PLUG] SSH Hardening : Request for Best Practices
Next by Date: Re: [PLUG] SSH Hardening : Request for Best Practices
Previous by thread: [PLUG] SSH Hardening : Request for Best Practices
Next by thread: Re: [PLUG] SSH Hardening : Request for Best Practices
Index(es):
- Date
- Thread