Rich Freeman on 26 Jul 2017 10:18:21 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

On Wed, Jul 26, 2017 at 1:06 PM, Thomas Delrue <> wrote:
> If I enable 2FA, can I do that just for certain accounts (or disable it
> for some specific ones)? I'm asking because I have automated processes
> that need to SSH into a box, do things and get out (historical reasons,
> don't ask...).

Yes, you can configure the rules in openssh per account I believe.
You might also be able to do it with the PAM configuration, though I'm
not sure if this is possible if you aren't using a traditional

> If this is possible, wouldn't that bypass the whole point of 2FA (unless
> the automated processes use very, very limited accounts - I guess - in
> which case, what is the point of 2FA)?

Not necessarily.  Maybe you care about the security of some accounts
more than others, but obviously anyplace you don't use it is more

> As a general question/musing: could one replace "2FA" with "needs a
> human to confirm access to another device in order to actually do stuff"
> or are there automated ways of doing 2FA, and thus be replaced with just
> "needs confirmed access to another device"?

2FA in general means having two of the following:
1.  Something you know.
2.  Something you have.
3.  Something you are.

An ssh key already combines #1 and #2 (the passphrase and the key
file), but it is somewhat weak in that the key file is readily copied,
and of course anything you know like a passphrase is easily copied.
It is stronger than a traditional password of course.

Most people refer to 2FA to refer to some kind of security device you
carry with you that generates TOTPs or such.  If it is a physical
device hardened against attacks that will typically make it very
robust against cloning.  If it is your phone then it is probably less
robust, but it is still a second physical object distinct from the one
carrying your ssh key.

TOTP is of course one way of doing things, but not the only.  There
has been a recent trend towards push APIs where a website triggers a
pop-up on your phone that you merely have to acknowledge by clicking
an OK button.  That accomplishes the same goal without having to
actually have you transcribe a TOTP.  You can also have keys that
interface via USB/etc that don't require any manual interaction, other
than maybe just hitting an OK button.

> Again, if the latter, namely that there are automated ways of doing 2FA,
> doesn't that circumvent the whole point of 2FA, because now I need 2FA
> on the box which provides my 2FA token, which needs a 2FA token provider
> which needs 2FA to access that one which needs 2FA to etc... etc...

Protocols like TOTP don't involve any providers in the middle
typically.  They use a clock to prevent replay and that is it.

Obviously things like pop-up messages usually involve some kind of intermediary.

I'm not entirely sure what your question was beyond that.  If you're
talking about some hypothetical type of 2FA that merely acks any
request it gets then that obviously adds no security, but that isn't
how it is done.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --