Re: Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 07/03/2022 16:14, Whit Blauvelt wrote:
Found the culprit: me. I was stupid enough to install and configure for
libpam-google-auth, given a company mandate to 2FA all connections with
admin access, where it wasn't in scope to add 2FA to all client accounts.

Could you explain a bit more what went wrong?

In order to configure 2FA (*), I do this:

PasswordAuthentication no
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive:pam

The comma means sshd requires publickey *and* PAM authentication to complete.  I can't see how this can make it any less secure than publickey alone, which is why I'm wondering what went wrong in your case.

If you want to disable 2FA either for certain trusted users, or certain trusted source IP addresses, you can use a Match block, e.g.

Match Address
AuthenticationMethods publickey

On the other hand, if you're trying to enable *password* authentication with separate 2FA, then that's certainly much trickier to get right in the PAM stack.  I would go for public key or certificate auth instead, with 2FA on top.

Alternatively, think about doing public key auth using ecdsa-sk keys and a U2F token - they are very cheap. You need a fairly modern openssh at client and server side though.



(*) I'm using pam_yubico, but I believe the above should apply to any 2FA challenge/response using PAM.

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux