K.S. Bhaskar on 26 Jul 2017 10:24:44 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] SSH Hardening : Request for Best Practices |
On 07/26/2017 06:13 AM, Rich Freeman wrote:
> On Wed, Jul 26, 2017 at 9:07 AM, Louis K <louis.kratz@gmail.com> wrote:
>> * I'm considering adding two factor auth in addition to the ssh keys. Is
>> this overkill? I think in that case the 2-factor-auth really only protects
>> me against someone getting my key (i.e., stealing my laptop and sshing in),
>> which I _think_ is unlikely.
>
> You understand the threat model - I can't say whether it is overkill.
> It is more than I do.
>
> I gave a recent talk on 2FA, but the example configuration I used does
> not require 2FA if using an SSH key.
If I enable 2FA, can I do that just for certain accounts (or disable it
for some specific ones)? I'm asking because I have automated processes
that need to SSH into a box, do things and get out (historical reasons,
don't ask...).
If this is possible, wouldn't that bypass the whole point of 2FA (unless
the automated processes use very, very limited accounts - I guess - in
which case, what is the point of 2FA)?
As a general question/musing: could one replace "2FA" with "needs a
human to confirm access to another device in order to actually do stuff"
or are there automated ways of doing 2FA, and thus be replaced with just
"needs confirmed access to another device"?
Again, if the latter, namely that there are automated ways of doing 2FA,
doesn't that circumvent the whole point of 2FA, because now I need 2FA
on the box which provides my 2FA token, which needs a 2FA token provider
which needs 2FA to access that one which needs 2FA to etc... etc...
> I believe with modern versions of openssh you can require both using:
>
> AuthenticationMethods publickey,keyboard-interactive
>
> See also:
> https://blog.compass-security.com/2013/07/openssh-enables- true-multi-factor- authentication/
____________________________________________________________ _______________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug