Bruce F Bading wrote: > There has been some good discussion around our IBM security team as to what > actually constitutes SSH multi factor authentication. In general it's worth to put a lot of thinking in this topic considering how SSH access is used by all your operators. Think of ansible, cluster SSH, fabric and other automation tools for mass administration of many machines via SSH. > There are 2 options > being discussed. > > One, the Google Authenticator (OTP authentication). > Two, Public/Private key authentication (pubkeyauthentication = yes) which > supports pass phrase private key authentication. Security OATH-HOTP or OATH-TOTP relies on keeping a shared secret really secret and securely authenticate it during enrollment process. Personally I don't consider a Smartphone to be a secure secret store. YMMV. > Which of these is considered multi-factor authentication and can you give a > brief response? There are different opinions here and your opinion is > greatly appreciated. Some valuable security aspects were already pointed out by others. Especially you have to restrict the management of SSH authorized keys by some means. Another thing you have to bear in mind is that the usual smart-cards, USB crypto tokens or similar are pretty slow. For one signature operation most devices still need at least ~ one second. That does not sound much but can sum up when accessing managing many machines at once (again: ansible, cluster SSH, fabric). More information upon request since it might be considered off-topic here. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
