Michael Ströder
2022-Mar-07 16:38 UTC
Does a known security issue allow ssh login via system accounts?
On 3/7/22 17:14, Whit Blauvelt wrote:> Found the culprit: me. I was stupid enough to install and configure for > libpam-google-auth, given a company mandate to 2FA all connections with > admin access,libpam-google-auth and other similar PAM modules require to store the token's shared secrets on the server. If your system gets hacked and shared secrets are stolen the attacker can generate an arbitrary amount of valid OTP values. And if you use the same shared secrets on multiple servers the security impact will be broad. => Don't use that.> Has there been consideration > of adding 2FA to OpenSSH that doesn't require enabling PAM? Public keys and > IP restrictions seem enough to me.Use the new FIDO key type. Or use short-term OpenSSH user certificates issued by a secured SSH-CA which uses 2FA for user authc. Ciao, Michael.
Brian Candler
2022-Mar-07 17:29 UTC
Does a known security issue allow ssh login via system accounts?
On 07/03/2022 16:38, Michael Str?der wrote:> libpam-google-auth and other similar PAM modules require to store the > token's shared secrets on the server. If your system gets hacked and > shared secrets are stolen the attacker can generate an arbitrary > amount of valid OTP values. And if you use the same shared secrets on > multiple servers the security impact will be broad. > > => Don't use that.That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets. I have also experimentally got TOTP validation working against a Hashicorp Vault server: https://github.com/candlerb/vault-totp-helper (I would be interested in having extra eyes on this)