Nico Kadel-Garcia wrote:
On Thu, Jul 7, 2016 at 10:00 AM, Bruce F Bading<badingb@xxxxxxxxxx> wrote:
Hi Gentlemen,
Thank you both for your valued opinion. I do however agree that public key
authentication cannot be fully considered MFA as have 2 PCI QSAs I have
spoken with. This is because it is not enforceable server side. Many
things can affect client side security.
It is distributable and not enforceable at a single point.
The key can be regenerated or downloaded again and regenerated to remove
the paraphrase making it single factor authentication.
It's not merely possible. It's popular, and nearly inevitable. And
unless you can enforce use of a designated public key on the server
side, for example by breaking ownership checks and making the file and
directories owned by root with user groupo access, or by
auto-replacing $HOME/.ssh/authorized_keys, well, the user can replace
the key at whim with their own insecure key.
You'd do this by either moving the authorized_keys to another a root
owned location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile
/etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand"
and put the keys into a "database" to reference them via a simple
root-owned program.
Personally I'd use the AuthorizedKeysCommand for this setup as it would
provide for a better programmatic way of managing keys.
- Ben
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev