2 Factor SSH

NightShade03

Anyone ever setup SSH for 2 factor auth use?

rfult001

Two-factor was just recently implemented where I work. I don't have to many details on how it is setup since I am not on the network team.

Here are some links on found on setting up SSH with two-factor after a quick google search, (which is what I think they did here ):

Secure your SSH deployment with WiKID two-factor authentication | HowtoForge - Linux Howtos and Tutorials
Tighter SSH Security with Two-Factor Authentication | Linux Journal

laidbackfreak

Yep I'm just finishing implementing a soloution at my place. Combination of a pin and password. The pin is encrypted an delivered via a turing image.
It's working ok via IE7 but I'm having issues via other browsers but I'm aware of the cause just looking for a workaround at the moment.

tiersten

I've setup OpenSSH with SecurID before. The link to the ACE server was done with a patch to the OpenSSH code.

laidbackfreak wrote: »

The pin is encrypted an delivered via a turin image.

A turin image?

gbadman

tiersten wrote: »

A turin image?

My thought exactly. Are you a religious man, laidbackfreak?

tiersten

laidbackfreak wrote: »

Yep I'm just finishing implementing a soloution at my place. Combination of a pin and password. The pin is encrypted an delivered via a turing image.

I'm confused as to how your system works. I've never seen a CAPTCHA used for 2 factor before and I'm unsure how you'd actually implemented it as well.

NightShade03

tiersten wrote: »

I've setup OpenSSH with SecurID before. The link to the ACE server was done with a patch to the OpenSSH code.

I had previously seen that you could patch SSH for LDAP to allow your public key to be store in the LDAP server, but I didn't know you could patch it for things like SecurID too. I'll have to explore this more.

laidbackfreak

tiersten wrote: »

I'm confused as to how your system works. I've never seen a CAPTCHA used for 2 factor before and I'm unsure how you'd actually implemented it as well.

The pin is used in conjunction with the captcha. You know your pin and the image presents a random one time password (numerical) that you cross-reference to your pin

For example :- your pin = 1234
Image presents 741852369
Underneath is 123456789

You would enter 7418

Does that make sense?

This all links through to an ACS which authenticates to AD + another 3rd party product that generates the code etc

laidbackfreak

gbadman wrote: »

My thought exactly. Are you a religious man, laidbackfreak?

Religious me?? Lmao nah mate not likely if you ever met me you'd understand. That said I am a spiritual man and a shaman.

Ill leave that topic for another forum tho.

tiersten

laidbackfreak wrote: »

The pin is used in conjunction with the captcha. You know your pin and the image presents a random one time password (numerical) that you cross-reference to your pin

For example :- your pin = 1234
Image presents 741852369
Underneath is 123456789

You would enter 7418

Does that make sense?

This all links through to an ACS which authenticates to AD + another 3rd party product that generates the code etc

Ahhh. Okay. Got you. Its not strictly 2 factor authentication though since both parts are something you know.

laidbackfreak

tiersten wrote: »

Ahhh. Okay. Got you. Its not strictly 2 factor authentication though since both parts are something you know.

Yep that was my arguement too, but it's accepted as two factor due to the fact it gives you a one time password.

tiersten

laidbackfreak wrote: »

Yep that was my arguement too, but it's accepted as two factor due to the fact it gives you a one time password.

If the machine had a keylogger that also took screenshots then the security of the PIN would be broken as the attacker would be able to reverse the typed in PIN to the real PIN digits. Anybody who can see the screen and the keyboard would also be able to work out the PIN.

That said, the other types would also be vulnerable if the machine was infected with malware.

Blizzard uses a little SecurID type token by Vasco to generate a one time code but the malware writers have managed to circumvent it. They recognise that you're trying to log into WoW and abort your connection whilst sending your username, password and currently valid PIN to a bot or person who quickly logs into your account and clears you out or alters your account settings.

laidbackfreak

tiersten wrote: »

If the machine had a keylogger that also took screenshots then the security of the PIN would be broken as the attacker would be able to reverse the typed in PIN to the real PIN digits. Anybody who can see the screen and the keyboard would also be able to work out the PIN.

a little SecurID type token by Vasco .

The digits entered arent in clear text so you cant see what figures you enter.

We use vasco token's too but this way we can reduce the number of tokens issued.

tiersten

laidbackfreak wrote: »

The digits entered arent in clear text so you cant see what figures you enter.

Wouldn't need to. You need the contents of the screen to see the generated number mapping image and what the user is typing either via observing what keys they press or a keylogger.

My bank before they went to 2 factor authentication with a small one time pad generator that you slot you bank card into used to make you enter 2 random characters of your password. Their attempt at avoiding keyloggers was instead of letting you type each letter, they'd made you select it from a drop down box.

laidbackfreak

tiersten wrote: »

Wouldn't need to. You need the contents of the screen to see the generated number mapping image and what the user is typing either via observing what keys they press or a keylogger.

True but we have a couple of ways of delivering the security string, currently its via a vpn alternatively we can send it via text message. Something else I'm currently investigating as this meets the two factor side.

Obviously we cant protect against shoulder surfing to get the pin entered but you'd also need to capture the user password along side it.

It's not fool proof but certainly meets our needs.

tiersten

laidbackfreak wrote: »

True but we have a couple of ways of delivering the security string, currently its via a vpn alternatively we can send it via text message. Something else I'm currently investigating as this meets the two factor side.

Nice . The text message option should be good and I'm surprised its not that widespread. People are generally fairly good at keeping hold of their phones and it would work as something you have. Software tokens that run phones as well are nice but not everybody has a phone that can take one and they're still not free.

NightShade03

I think a bigger problem with the SMS solution is getting the "older" crowd to use it. Most of the people I work with are so technically challenged that getting them to sign in every morning is a prayer.

We are trying to use 2 factor auth for SSH logins to a redhat shell only. We were using this program called vShell which has a hack to allow 2 factor (pub key password, plus logon password), but it only works on windows.

I wanted to move to a PKI with SSH however the documentation for linux PKIs (CA servers and client setup) is somewhat lacking...