Philipp Marek
2022-Mar-07 17:40 UTC
Does a known security issue allow ssh login via system accounts?
>That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets.Just to make sure I understand you correctly - a cloud service determines whether some access to your server is to be granted?
Blumenthal, Uri - 0553 - MITLL
2022-Mar-07 17:50 UTC
Does a known security issue allow ssh login via system accounts?
> >That's a nice thing about pam_yubico with real Yubikeys: > >they can be validated against the Yubico cloud API, > >without any local secrets. > > Just to make sure I understand you correctly - a cloud > service determines whether some access to your server > is to be granted?A cloud service *authenticates* the user. It's the job of *other* PAM modules and configuration to decide what to *authorize* this authenticated identity for, including login. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220307/9099a6c3/attachment-0001.p7s>
Brian Candler
2022-Mar-07 17:54 UTC
Does a known security issue allow ssh login via system accounts?
On 07/03/2022 17:40, Philipp Marek wrote:>> That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets. > Just to make sure I understand you correctly - a cloud service determines whether some access to your server is to be granted?Yes: a cloud service run by security experts, almost certainly more secure and better managed than I could build myself. And in any case, it's a second factor on top of private/public keys that I do manage locally. (They used to provide code for you to host your own validation server - but I've just checked and found that's end-of-life)