Options
2 Factor SSH
NightShade03
Member Posts: 1,383 ■■■■■■■□□□
in Off-Topic
Anyone ever setup SSH for 2 factor auth use?
Comments
-
Optionsrfult001 Member Posts: 407Two-factor was just recently implemented where I work. I don't have to many details on how it is setup since I am not on the network team.
Here are some links on found on setting up SSH with two-factor after a quick google search, (which is what I think they did here ):
Secure your SSH deployment with WiKID two-factor authentication | HowtoForge - Linux Howtos and Tutorials
Tighter SSH Security with Two-Factor Authentication | Linux Journal -
Optionslaidbackfreak Member Posts: 991Yep I'm just finishing implementing a soloution at my place. Combination of a pin and password. The pin is encrypted an delivered via a turing image.
It's working ok via IE7 but I'm having issues via other browsers but I'm aware of the cause just looking for a workaround at the moment.if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Optionstiersten Member Posts: 4,505I've setup OpenSSH with SecurID before. The link to the ACE server was done with a patch to the OpenSSH code.laidbackfreak wrote: »The pin is encrypted an delivered via a turin image.
-
Optionsgbadman Member Posts: 71 ■■□□□□□□□□[FONT=georgia, bookman old style, palatino linotype, book antiqua, palatino, trebuchet ms, helvetica, garamond, sans-serif, arial, verdana, avante garde, century gothic, comic sans ms, times, times new roman, serif]A pessimist is one who makes difficulties of his opportunities and an optimist is one who makes opportunities of his difficulties
-[/FONT][FONT=georgia, bookman old style, palatino linotype, book antiqua, palatino, trebuchet ms, helvetica, garamond, sans-serif, arial, verdana, avante garde, century gothic, comic sans ms, times, times new roman, serif]Harry Truman[/FONT] -
Optionstiersten Member Posts: 4,505laidbackfreak wrote: »Yep I'm just finishing implementing a soloution at my place. Combination of a pin and password. The pin is encrypted an delivered via a turing image.
-
OptionsNightShade03 Member Posts: 1,383 ■■■■■■■□□□I've setup OpenSSH with SecurID before. The link to the ACE server was done with a patch to the OpenSSH code.
I had previously seen that you could patch SSH for LDAP to allow your public key to be store in the LDAP server, but I didn't know you could patch it for things like SecurID too. I'll have to explore this more. -
Optionslaidbackfreak Member Posts: 991I'm confused as to how your system works. I've never seen a CAPTCHA used for 2 factor before and I'm unsure how you'd actually implemented it as well.
For example :- your pin = 1234
Image presents 741852369
Underneath is 123456789
You would enter 7418
Does that make sense?
This all links through to an ACS which authenticates to AD + another 3rd party product that generates the code etcif I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Optionslaidbackfreak Member Posts: 991My thought exactly. Are you a religious man, laidbackfreak?
Religious me?? Lmao nah mate not likely if you ever met me you'd understand. That said I am a spiritual man and a shaman.
Ill leave that topic for another forum tho.if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Optionstiersten Member Posts: 4,505laidbackfreak wrote: »The pin is used in conjunction with the captcha. You know your pin and the image presents a random one time password (numerical) that you cross-reference to your pin
For example :- your pin = 1234
Image presents 741852369
Underneath is 123456789
You would enter 7418
Does that make sense?
This all links through to an ACS which authenticates to AD + another 3rd party product that generates the code etc -
Optionslaidbackfreak Member Posts: 991Ahhh. Okay. Got you. Its not strictly 2 factor authentication though since both parts are something you know.
Yep that was my arguement too, but it's accepted as two factor due to the fact it gives you a one time password.if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Optionstiersten Member Posts: 4,505laidbackfreak wrote: »Yep that was my arguement too, but it's accepted as two factor due to the fact it gives you a one time password.
That said, the other types would also be vulnerable if the machine was infected with malware.
Blizzard uses a little SecurID type token by Vasco to generate a one time code but the malware writers have managed to circumvent it. They recognise that you're trying to log into WoW and abort your connection whilst sending your username, password and currently valid PIN to a bot or person who quickly logs into your account and clears you out or alters your account settings. -
Optionslaidbackfreak Member Posts: 991If the machine had a keylogger that also took screenshots then the security of the PIN would be broken as the attacker would be able to reverse the typed in PIN to the real PIN digits. Anybody who can see the screen and the keyboard would also be able to work out the PIN.
a little SecurID type token by Vasco .
The digits entered arent in clear text so you cant see what figures you enter.
We use vasco token's too but this way we can reduce the number of tokens issued.if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Optionstiersten Member Posts: 4,505laidbackfreak wrote: »The digits entered arent in clear text so you cant see what figures you enter.
My bank before they went to 2 factor authentication with a small one time pad generator that you slot you bank card into used to make you enter 2 random characters of your password. Their attempt at avoiding keyloggers was instead of letting you type each letter, they'd made you select it from a drop down box. -
Optionslaidbackfreak Member Posts: 991Wouldn't need to. You need the contents of the screen to see the generated number mapping image and what the user is typing either via observing what keys they press or a keylogger.
True but we have a couple of ways of delivering the security string, currently its via a vpn alternatively we can send it via text message. Something else I'm currently investigating as this meets the two factor side.
Obviously we cant protect against shoulder surfing to get the pin entered but you'd also need to capture the user password along side it.
It's not fool proof but certainly meets our needs.if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Optionstiersten Member Posts: 4,505laidbackfreak wrote: »True but we have a couple of ways of delivering the security string, currently its via a vpn alternatively we can send it via text message. Something else I'm currently investigating as this meets the two factor side.
-
OptionsNightShade03 Member Posts: 1,383 ■■■■■■■□□□I think a bigger problem with the SMS solution is getting the "older" crowd to use it. Most of the people I work with are so technically challenged that getting them to sign in every morning is a prayer.
We are trying to use 2 factor auth for SSH logins to a redhat shell only. We were using this program called vShell which has a hack to allow 2 factor (pub key password, plus logon password), but it only works on windows.
I wanted to move to a PKI with SSH however the documentation for linux PKIs (CA servers and client setup) is somewhat lacking...