Re: Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 03/01/22, 2022 at 09:45:04AM +1100, Damien Miller wrote:

> It sounds like you have already verified that your PAM configuration was
> not tampered with, so that removes one possibility. Reviewing the Ubuntu
> PAM configurations and the patches they apply to sshd seem to be prudent
> next steps.

Found the culprit: me. I was stupid enough to install and configure for
libpam-google-auth, given a company mandate to 2FA all connections with
admin access, where it wasn't in scope to add 2FA to all client accounts. If
there's existing documentation anywhere on how dangerous this is, it's not
in libpam-google-auth's own docs, nor in the recipes scattered across the
net.

I've found no way yet to tweak it to be safe that I can be sure of, short of
running a separate sshd on another port for it. Has there been consideration
of adding 2FA to OpenSSH that doesn't require enabling PAM? Public keys and
IP restrictions seem enough to me. Yet my corporate overlord is required by
their insurance firm to use 2FA. To satisfy that demand, I compromised
security with the badly documented libpam-google-auth -- as if a firm that
can't even secure their flagship browser should be trusted on security.

Stupid me,

Whit

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux