K.S. Bhaskar on 26 Jul 2017 10:24:44 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices


Two factor authentication is often thought to be "something you know" + "something you have". But the second factor could easily be a "somewhere you are" and that could in principle be applied to machine-to-machine logins. For example, it could be something as simple as an IP address (weak, but perhaps better than nothing - and maybe a static IPv6 address would be better; I haven't thought about it), or something as sophisticated as the client's current global position acquired with a GPS receiver. In either case, the location would need to be signed by the client. I don't know of any ssh extension off the shelf that does this, though.

-- Bhaskar


On Wed, Jul 26, 2017 at 1:06 PM, Thomas Delrue <delrue.thomas@gmail.com> wrote:
On 07/26/2017 06:13 AM, Rich Freeman wrote:
> On Wed, Jul 26, 2017 at 9:07 AM, Louis K <louis.kratz@gmail.com> wrote:
>> *  I'm considering adding two factor auth in addition to the ssh keys. Is
>> this overkill? I think in that case the 2-factor-auth really only protects
>> me against someone getting my key (i.e., stealing my laptop and sshing in),
>> which I _think_ is unlikely.
>
> You understand the threat model - I can't say whether it is overkill.
> It is more than I do.
>
> I gave a recent talk on 2FA, but the example configuration I used does
> not require 2FA if using an SSH key.

If I enable 2FA, can I do that just for certain accounts (or disable it
for some specific ones)? I'm asking because I have automated processes
that need to SSH into a box, do things and get out (historical reasons,
don't ask...).
If this is possible, wouldn't that bypass the whole point of 2FA (unless
the automated processes use very, very limited accounts - I guess - in
which case, what is the point of 2FA)?

As a general question/musing: could one replace "2FA" with "needs a
human to confirm access to another device in order to actually do stuff"
or are there automated ways of doing 2FA, and thus be replaced with just
"needs confirmed access to another device"?
Again, if the latter, namely that there are automated ways of doing 2FA,
doesn't that circumvent the whole point of 2FA, because now I need 2FA
on the box which provides my 2FA token, which needs a 2FA token provider
which needs 2FA to access that one which needs 2FA to etc... etc...

> I believe with modern versions of openssh you can require both using:
>
> AuthenticationMethods publickey,keyboard-interactive
>
> See also:
> https://blog.compass-security.com/2013/07/openssh-enables-true-multi-factor-authentication/


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug