Re: [PLUG] SSH Hardening : Request for Best Practices

Thomas Delrue on 26 Jul 2017 10:06:36 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

From: Thomas Delrue <delrue.thomas@gmail.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>, Rich Freeman <r-plug@thefreemanclan.net>
Subject: Re: [PLUG] SSH Hardening : Request for Best Practices
Date: Wed, 26 Jul 2017 10:06:22 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:mime-version:in-reply-to; bh=PoFQXNID+VaRiemWnW8SfNP0KWNTBZ5U7yb0RkrwUpw=; b=dTv33kukRqC23vp7H7aNiMXKZ4Hz/Qo4yaixkIU2XGvNwtMu3dZKBs0WwrfUxhxBBM ymjVxMcpIx+U5qrCSA1QC1WImA9+dwQ36U4pKN13dPbachnPi3clrHosReq8gcZPeWm1 qu8L3KDCdPkdNPf8lkQockPCnlZ6Fh92GAOQrVKYdkbOY6ocEqlGo5bjYcsAQKtN9O3m +9hRp3WmYxCghaN2A5XA4xHqa+NosaE98ltXK9TTpmHan1LO6i+HmM4t9VjgZonqv5Lg 87WkJIJjdyl1+ZhFyWuD4UlGm1nNH/+ozPepTYh3Fy1kuVyOST1TWpCh0u9B0schm4uI C/Wg==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On 07/26/2017 06:13 AM, Rich Freeman wrote:
> On Wed, Jul 26, 2017 at 9:07 AM, Louis K <louis.kratz@gmail.com> wrote:
>> *  I'm considering adding two factor auth in addition to the ssh keys. Is
>> this overkill? I think in that case the 2-factor-auth really only protects
>> me against someone getting my key (i.e., stealing my laptop and sshing in),
>> which I _think_ is unlikely.
> 
> You understand the threat model - I can't say whether it is overkill.
> It is more than I do.
> 
> I gave a recent talk on 2FA, but the example configuration I used does
> not require 2FA if using an SSH key.

If I enable 2FA, can I do that just for certain accounts (or disable it
for some specific ones)? I'm asking because I have automated processes
that need to SSH into a box, do things and get out (historical reasons,
don't ask...).
If this is possible, wouldn't that bypass the whole point of 2FA (unless
the automated processes use very, very limited accounts - I guess - in
which case, what is the point of 2FA)?

As a general question/musing: could one replace "2FA" with "needs a
human to confirm access to another device in order to actually do stuff"
or are there automated ways of doing 2FA, and thus be replaced with just
"needs confirmed access to another device"?
Again, if the latter, namely that there are automated ways of doing 2FA,
doesn't that circumvent the whole point of 2FA, because now I need 2FA
on the box which provides my 2FA token, which needs a 2FA token provider
which needs 2FA to access that one which needs 2FA to etc... etc...

> I believe with modern versions of openssh you can require both using:
> 
> AuthenticationMethods publickey,keyboard-interactive
> 
> See also:
> https://blog.compass-security.com/2013/07/openssh-enables-true-multi-factor-authentication/

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: "K.S. Bhaskar" <bhaskar@bhaskars.com>

References:
- [PLUG] SSH Hardening : Request for Best Practices
  - From: Louis K <louis.kratz@gmail.com>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] SSH Hardening : Request for Best Practices
Next by Date: Re: [PLUG] SSH Hardening : Request for Best Practices
Previous by thread: Re: [PLUG] SSH Hardening : Request for Best Practices
Next by thread: Re: [PLUG] SSH Hardening : Request for Best Practices
Index(es):
- Date
- Thread