Hello Damien, Brian and all, thanks for the suggestions. I actually had not considered host-based authentication and looked it up. As I understand from my first quick reading, I would need to specify the clients which are allowed to use host-based auth on the server with a DNS name or an IP, which would not work for a client behind a CG NAT or in a cellular network. Or did I get this wrong? So, this is also an answer to Brian. Right now, I cannot simply use IPs. (However, it would not be out of reach to simply put all clients on a private VPN. But I would consider that more of a work-around to the original problem.) Thanks and best, Jan Am 22.10.20 um 01:31 schrieb Damien Miller:> On Wed, 21 Oct 2020, Jan Bergner wrote: > >> >> Hello all, >> >> in order to connect to my SSH servers from untrusted devices like company computers or my smartphone, I set up 2FA with >> google-authenticator hooked into PAM. >> >> However, this is not really 2FA at least for the smartphone, since I use the same device for generating the TANs and it >> is also at least inconvenient to always require a new TAN for each connection. I do not want to solely rely on SSH keys >> on these devices since - as I pointed out - I do not really trust them. >> >> So, my idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course, >> I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use >> something like >> >> AuthenticationMethods publickey,password > > Since the main difference here is how much you trust the originating host, > you might want to consider setting up host-based authentication for those > hosts and using a config like: > > AuthenticationMethods publickey,password publickey,hostbased > > This would allow users to log in with (public key AND password) OR > (public key and host-based). > > -d >-- *Jan Bergner, M.Sc. * Senior IT Administrator *indurad GmbH* *The Industrial Radar Company* Belvedereallee 5 52070 Aachen, Germany Office: + 49 241 538070-61 Front Desk: + 49 241 538070-0 Fax: + 49 241 538070-99 jan.bergner at indurad.com www.indurad.com <http://www.indurad.com/>
On 10/23/20 4:32 AM, Jan Bergner wrote:> Hello Damien, Brian and all, > > thanks for the suggestions. I actually had not considered host-based authentication and looked it up. > As I understand from my first quick reading, I would need to specify the clients which are allowed to use host-based auth on the server with a DNS name or an IP, which would not work for a client behind a CG NAT or in a cellular network. > Or did I get this wrong?You can use dynamic DNS to obtain a static DNS name. As your IP address changes, the DNS record is updated accordingly. DNS spoofing is not a security risk (beyond DoS) because the host must prove possession of its secret key. This is the approach I recommend.> So, this is also an answer to Brian. Right now, I cannot simply use IPs. > (However, it would not be out of reach to simply put all clients on a private VPN. But I would consider that more of a work-around to the original problem.)Using IP addresses is not a good idea, unless you are using a VPN that prevents spoofing.> Thanks and best, > JanSincerely, Demi -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xB288B55FFF9C22C1.asc Type: application/pgp-keys Size: 3099 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20201023/e902a076/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20201023/e902a076/attachment-0001.asc>
On Fri, 23 Oct 2020, Jan Bergner wrote:> Hello Damien, Brian and all, > > thanks for the suggestions. I actually had not considered host-based > authentication and looked it up. > As I understand from my first quick reading, I would need to specify the > clients which are allowed to use host-based auth on the server with a DNS name > or an IP, which would not work for a client behind a CG NAT or in a cellular > network. > Or did I get this wrong?You can use the sshd_config HostbasedUsesNameFromPacketOnly option to turn off the DNS checking in host-based authentication and rely only on the correct key being presented (matching one in /etc/ssh/known_hosts). -d
Well, this is more complicated than I would have hoped, but it will indeed achieve my goal - even, if it does not allow to explicitly require additional authentication per key. Thus, I want to thank Demi and Damien for their suggestions. So, I would set up sshd_config like this: AuthenticationMethods publickey,password publickey,hostbased Additionally, I might do an IP-match to relax the requirements for devices inside a VPN. One last thing I would consider a nice extra, as it would allow access from another computer that is trustworthy but has no private key. (Like a good and competent friend's laptop or something like that.) Would it be possible to additionally allow password and google-authenticator? As I understand it, I can require the password method for the password and nothing else but the password, while google-authenticator hooked into PAM works with keyboard-interactive. So I think of something like AuthenticationMethods publickey,password publickey,hostbased keyboard-interactive However, it is not clear to me, what exactly "password" does. Assuming it also uses PAM, I am not certain, how I would instruct it to require the second factor for one method (keyboard-interactive) while at the same time being satisfied with only the password for the other method (password). Any thoughts? Best, Jan Am 25.10.20 um 06:47 schrieb Damien Miller:> On Fri, 23 Oct 2020, Jan Bergner wrote: > >> Hello Damien, Brian and all, >> >> thanks for the suggestions. I actually had not considered host-based >> authentication and looked it up. >> As I understand from my first quick reading, I would need to specify the >> clients which are allowed to use host-based auth on the server with a DNS name >> or an IP, which would not work for a client behind a CG NAT or in a cellular >> network. >> Or did I get this wrong? > > You can use the sshd_config HostbasedUsesNameFromPacketOnly option to > turn off the DNS checking in host-based authentication and rely only > on the correct key being presented (matching one in /etc/ssh/known_hosts). > > -d >