Brian Candler
2022-Mar-07 17:29 UTC
Does a known security issue allow ssh login via system accounts?
On 07/03/2022 16:38, Michael Str?der wrote:> libpam-google-auth and other similar PAM modules require to store the > token's shared secrets on the server. If your system gets hacked and > shared secrets are stolen the attacker can generate an arbitrary > amount of valid OTP values. And if you use the same shared secrets on > multiple servers the security impact will be broad. > > => Don't use that.That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets. I have also experimentally got TOTP validation working against a Hashicorp Vault server: https://github.com/candlerb/vault-totp-helper (I would be interested in having extra eyes on this)
Philipp Marek
2022-Mar-07 17:40 UTC
Does a known security issue allow ssh login via system accounts?
>That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets.Just to make sure I understand you correctly - a cloud service determines whether some access to your server is to be granted?
Michael Ströder
2022-Mar-07 18:02 UTC
Does a known security issue allow ssh login via system accounts?
On 3/7/22 18:29, Brian Candler wrote:> On 07/03/2022 16:38, Michael Str?der wrote: >> libpam-google-auth and other similar PAM modules require to store the >> token's shared secrets on the server. If your system gets hacked and >> shared secrets are stolen the attacker can generate an arbitrary >> amount of valid OTP values. And if you use the same shared secrets on >> multiple servers the security impact will be broad. >> >> => Don't use that. > > That's a nice thing about pam_yubico with real Yubikeys: they can be > validated against the Yubico cloud API, without any local secrets.1. I'd never want to use tokens pre-provisioned tokens with admins' shared secrets stored in the cloud and reach out to it via Internet from every internal server. Shameless plug: I'm using my own OATH-LDAP with shared secrets stored encrypted in OpenLDAP, but not for SSH (see 3.). 2. Consider availability issues: In case of urgent admin SSH access your infrastructure might be (partially) broken and Yubico's cloud unreachable. 3. Furthermore any OTP mechanism is not really usable when using tools like ansible or similar in mass deployments. BTW: Using keys on hardware tokens including U2F/Fido is also too slow if you initially connect to thousands of machines. => Use an SSH-CA which issues short-term user certs. Ciao, Michael.