There has been some good discussion around our IBM security team as to what actually constitutes SSH multi factor authentication. There are 2 options being discussed. One, the Google Authenticator (OTP authentication). Two, Public/Private key authentication (pubkeyauthentication = yes) which supports pass phrase private key authentication. Which of these is considered multi-factor authentication and can you give a brief response? There are different opinions here and your opinion is greatly appreciated. Sincerely, Bruce F. Bading Senior Security Consultant IBM Systems and Technology Group 830-237-6851 badingb at us.ibm.com member ISACA since 1985 "United We Stand" For those with risk, your time to remediate is today. For those who have been breached, your time to remediate was yesterday!
On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:> One, the Google Authenticator (OTP authentication).On its own, this is not 2FA. It's single factor ("something you have"). A combination of Google Authenticator _and_ password is 2FA. This is easy to do with PAM.> Two, Public/Private key authentication (pubkeyauthentication = yes) which > supports pass phrase private key authentication.This is 2FA in that you need the private key and the passphrase for it. Unfortunately this can't be enforced at the server; it's client side. That's because the client could _remove_ the passphrase and reduce it to "something you have". The server can't tell the difference. So, from a controls perspective, you have to assume "single factor". -- rgds Stephen
On Sun, 3 Jul 2016, Stephen Harris wrote:> On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote: > > One, the Google Authenticator (OTP authentication). > > On its own, this is not 2FA. It's single factor ("something you > have"). > > A combination of Google Authenticator _and_ password is 2FA. This is > easy to do with PAM.Agreed> > Two, Public/Private key authentication (pubkeyauthentication = yes) which > > supports pass phrase private key authentication. > > This is 2FA in that you need the private key and the passphrase for it.I don't agree - being able to unlock a private key is just part of "possessing" it. OTOH publickey+password authentication could be considered 2FA. Ideally with the key rendered practically uncloneable by holding it on a token, etc. -d
Bruce F Bading wrote:> There has been some good discussion around our IBM security team as to what > actually constitutes SSH multi factor authentication.In general it's worth to put a lot of thinking in this topic considering how SSH access is used by all your operators. Think of ansible, cluster SSH, fabric and other automation tools for mass administration of many machines via SSH.> There are 2 options > being discussed. > > One, the Google Authenticator (OTP authentication). > Two, Public/Private key authentication (pubkeyauthentication = yes) which > supports pass phrase private key authentication.Security OATH-HOTP or OATH-TOTP relies on keeping a shared secret really secret and securely authenticate it during enrollment process. Personally I don't consider a Smartphone to be a secure secret store. YMMV.> Which of these is considered multi-factor authentication and can you give a > brief response? There are different opinions here and your opinion is > greatly appreciated.Some valuable security aspects were already pointed out by others. Especially you have to restrict the management of SSH authorized keys by some means. Another thing you have to bear in mind is that the usual smart-cards, USB crypto tokens or similar are pretty slow. For one signature operation most devices still need at least ~ one second. That does not sound much but can sum up when accessing managing many machines at once (again: ansible, cluster SSH, fabric). More information upon request since it might be considered off-topic here. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160710/bb62ed2c/attachment-0001.bin>