Re: Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 3/7/22 17:14, Whit Blauvelt wrote:

Found the culprit: me. I was stupid enough to install and configure for
libpam-google-auth, given a company mandate to 2FA all connections with
admin access,
libpam-google-auth and other similar PAM modules require to store the token's shared secrets on the server. If your system gets hacked and shared secrets are stolen the attacker can generate an arbitrary amount of valid OTP values. And if you use the same shared secrets on multiple servers the security impact will be broad. 

=> Don't use that.


Has there been consideration
of adding 2FA to OpenSSH that doesn't require enabling PAM? Public keys and
IP restrictions seem enough to me.


Use the new FIDO key type.
Or use short-term OpenSSH user certificates issued by a secured SSH-CA which uses 2FA for user authc. 

Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux