On Wed, Apr 22, 2009 at 02:02:27PM -0600, Ryan Kish wrote: > I am currently trying to determine how I can implement two factor > authentication for some servers that sit on border networks. Ideally, > a user would be required to use an rsa/dsa key & their system login > password to gain access. This way, they are using something they have > (rsa/dsa key) and something they know (password). RSA auth already provides this, of course: they have something they have (their key) and something they know (the passphrase to the key). It is unfortunate that there is no way to enforce that the user's keys be encrypted. Since the client needs access to the unencrypted key, it's necessarily a client-side operation to decrypt the key, which means that even if OpenSSH provided a mechanism to enforce that the on-disk keys were encrypted, the user could use their own client which had no such restrictions... > It would allow me enforce complex passwords as well as expiration > time on the server side. Which does nothing to prevent the user from leaving their complex password on a post-it note on their monitor, leaving it in an unencrypted file on their workstation, or telling their "trusted" coworkers what it is, etc.... You either can trust your users to behave, or you can't. If you can't, you have a problem that you can't easily fix with technology (not cheaply, anyway), but your problem is only as big as the thing you're protecting is valuable... Smart cards and similar may be the best bet. If you have a genuine need for this level of security, then someone should be willing to pay for it. If no one is willing to pay for it, then are you sure you really need that level of security? It would seem that whatever organization you're securing has already decided that question for you... ;-) More security is not always better... If your users (or bosses) don't see the need, then the harder you make it for them to get what they need, they may be more likely to work harder to get around your security measures, undermining your efforts. It can also lead to user dissatisfaction, which may mean increased turnover, or users seeking alternatives to whatever services you're providing. The effort spent on security should match the value of whatever you're trying to secure... Those caveats aside, one relatively cheap way to implement what you want is to provide a bastion host. It would accept only one of the two methods of authentication. Access to the resource you're protecting would use the other of the two, and be restricted to requests coming from the bastion host (typically by firewall rules, though there may be other options depending on what you're doing). Another way might be to use RSA auth with SSH to protect access to the server, and then use Kerberos or similar to protect the resource (e.g. an NFS mount). -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
Attachment:
pgpc2pAYDJKc0.pgp
Description: PGP signature
