Re: Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2022/03/07 11:14, Whit Blauvelt wrote:
> On Tue, 03/01/22, 2022 at 09:45:04AM +1100, Damien Miller wrote:
> 
> > It sounds like you have already verified that your PAM configuration was
> > not tampered with, so that removes one possibility. Reviewing the Ubuntu
> > PAM configurations and the patches they apply to sshd seem to be prudent
> > next steps.
> 
> Found the culprit: me. I was stupid enough to install and configure for
> libpam-google-auth, given a company mandate to 2FA all connections with
> admin access, where it wasn't in scope to add 2FA to all client accounts. If
> there's existing documentation anywhere on how dangerous this is, it's not
> in libpam-google-auth's own docs, nor in the recipes scattered across the
> net.
> 
> I've found no way yet to tweak it to be safe that I can be sure of, short of
> running a separate sshd on another port for it. Has there been consideration
> of adding 2FA to OpenSSH that doesn't require enabling PAM? Public keys and

Already possible:

AuthenticationMethods "publickey,password"

Depending on what you are allowed to use as a second factor and what
clients you use, the key allowed by "publickey" could be a key from a
traditional id_XXX file, or it could be a key handle for a U2F token.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux