Re: SSH multi factor authentication

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> One, the Google Authenticator (OTP authentication).

On its own, this is not 2FA.  It's single factor ("something you
have").

A combination of Google Authenticator _and_ password is 2FA.  This is
easy to do with PAM.

> Two, Public/Private key authentication (pubkeyauthentication = yes) which
> supports pass phrase private key authentication.

This is 2FA in that you need the private key and the passphrase for it.
Unfortunately this can't be enforced at the server; it's client side.
That's because the client could _remove_ the passphrase and reduce
it to "something you have".  The server can't tell the difference.
So, from a controls perspective, you have to assume "single factor".

-- 

rgds
Stephen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux