Re: SSH multi factor authentication

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Hi Gentlemen,

Thank you both for your valued opinion.  I do however agree that public key
authentication cannot be fully considered MFA as have 2 PCI QSAs I have
spoken with.  This is because it is not enforceable server side.  Many
things can affect client side security.

It is distributable and not enforceable at a single point.
The key can be regenerated or downloaded again and regenerated to remove
the paraphrase making it single factor authentication.
Keystoke loggers can log the keystrokes to unlock the key and capture it in
band on the client.
RSA and OTP generated by google authenticator w/password authentication can
occur out of band and since enforceable on the server side are much more
difficult to breach.

Again, I want to thank you both for your valued opinion and which everyone
a very great day.

Sincerely,
Bruce F. Bading
Senior Security Consultant

IBM Systems and Technology Group
830-237-6851
badingb@xxxxxxxxxx
member ISACA since 1985


"United We Stand"

For those with risk, your time to remediate is today.
For those who have been breached, your time to remediate was yesterday!



From:	Damien Miller <djm@xxxxxxxxxxx>
To:	Stephen Harris <lists@xxxxxxxxxx>
Cc:	Bruce F Bading/Austin/IBM@IBMUS, openssh-unix-dev@xxxxxxxxxxx
Date:	07/04/2016 01:04 AM
Subject:	Re: SSH multi factor authentication



On Sun, 3 Jul 2016, Stephen Harris wrote:

> On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> > One, the Google Authenticator (OTP authentication).
>
> On its own, this is not 2FA.  It's single factor ("something you
> have").
>
> A combination of Google Authenticator _and_ password is 2FA.  This is
> easy to do with PAM.

Agreed

> > Two, Public/Private key authentication (pubkeyauthentication = yes)
which
> > supports pass phrase private key authentication.
>
> This is 2FA in that you need the private key and the passphrase for it.

I don't agree - being able to unlock a private key is just part of
"possessing" it.

OTOH publickey+password authentication could be considered 2FA. Ideally
with the key rendered practically uncloneable by holding it on a token,
etc.

-d



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux