similar to: SSH multi factor authentication

On Sun, 3 Jul 2016, Stephen Harris wrote: > On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote: > > One, the Google Authenticator (OTP authentication). > > On its own, this is not 2FA. It's single factor ("something you > have"). > > A combination of Google Authenticator _and_ password is 2FA. This is > easy to do with PAM. Agreed >

On Thu, Jul 7, 2016 at 10:00 AM, Bruce F Bading <badingb at us.ibm.com> wrote: > > Hi Gentlemen, > > Thank you both for your valued opinion. I do however agree that public key > authentication cannot be fully considered MFA as have 2 PCI QSAs I have > spoken with. This is because it is not enforceable server side. Many > things can affect client side security. >

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

Hi, My goal is to protect my mail account with 2FA, which isn't a crazy idea in 2020. Therefore, I would like to know the possibilities of configuring 2FA for Dovecot. In the documentation there are some hints of e.g. OTP in Dovecot [1] and using FreeIPA with Dovecot [2], where FreeIPA has the ability to enable OTP per user [3]. But I can't really find much practical information about

On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote: > A quick question, if I may: Today, I heard a rumour that "ssh" can be > used as a TOTP *token* (i.e., accept or generate a secret for a > configuration and generate TOTP codes from there on out, to be entered > into some *other* software requesting them for 2FA). I'm not aware of any way

https://bugzilla.mindrot.org/show_bug.cgi?id=3188 Bug ID: 3188 Summary: Problems creating a second ecdsa-sk key for a second Yubikey Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen

Hi all, I'm trying to scp some files from machine1 to machine2. But, I'm in an environment where PubKeyAuthentication is not allowed in ssh :( So, I'm confused how to automate it as cronjob. However, I read somewhere that we can write a little bash script that will utilize 'expect' to answer for the ssh password prompt? Can we do this? Any examples are great help. Thank you.

Hi.? I have configured sshd in OpenBSD to require publickey authentication. I've tried configuring FreeBSD to do the same, but I can still login via keyboard authentication. Here are the options I have in my sshd_config: PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no After setting those options I kill -HUP the sshd? process. Is there something simple I am missing?

Dear Dovecot experts, we have unusual authentication requirements, namely: - almost all of our user are using a smartcard to connect with our mailserver. Thunderbird is our friend here as it will use the smartcard as an additional certificate store and Thunderbird will do client certificate based authentication when connecting via SSL with a mailserver - there's no way (at least that I know

Hey!! It is now showing the former users' folders at the top level of the current user. Great! Perhaps dovecot just needed time to "index" the new messages? Anyway, Luigi's suggestion on moving and renaming the folders apparently worked. Thanks!!!! --Mark -----Original Message----- > Subject: Re: Moving Maildir folders > From: Frank-Ulrich Sommer <f-u.s at

I run OpenSSH on linux @ client which ssh /usr/local/bin/ssh ssh -v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 @ server which sshd /usr/local/bin/sshd sshd -v unknown option -- V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time]

Dear all, I did try to google search the archives [1] but cannot find any information on this. Would it be possible to somehow implement a passwordless (or as a 2FA) to login to a remote samba (linux server)? Any suggestions greatly appreciated, Greg 1. https://lists.samba.org/archive/samba/

On Sat, Jul 9, 2016 at 10:30 AM, Ben Lindstrom <mouring at eviladmin.org> wrote: > You'd do this by either moving the authorized_keys to another a root owned > location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile > /etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand" and > put the keys into a "database" to reference

Hello all, in order to connect to my SSH servers from untrusted devices like company computers or my smartphone, I set up 2FA with google-authenticator hooked into PAM. However, this is not really 2FA at least for the smartphone, since I use the same device for generating the TANs and it is also at least inconvenient to always require a new TAN for each connection. I do not want to solely rely

Hi. I wonder if it would be possible to implement support for a user-specific sshd_config. The primary reason is that I would like the ability to specify that I'm only allowed to login with a key pair, even though the system-wide sshd configuration still allows passwords for other users. Of course, a user-specific sshd_config file should not be able to break the security policy of the

Hi - is it possible to load a SMP version of a kernel on a system running a single CPU version of the kernel without a reboot? For instance, a quad CPU system was accidentally booted as 2.6.9-78.0.5.EL but we need to load 2.6.9-78.0.5.ELsmp instead. Any help would be appreciated. -- Article. VI. Clause 3 of the constitution of the United States states: "The Senators and

Dear all, what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice. Is there a

http://bugzilla.mindrot.org/show_bug.cgi?id=1180 Summary: Add finer-grained controls to sshd Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dtucker at

I have ssh running on port 22 and (say) port 33333. Port 22 is restricted at layer 3 so not much can get to it. Port 33333 is open to the world. I only want to allow one user to authenticated using port 33333, but all users to authenticate using port 22. Is there any way to do this without running 2 sshd processes? -- Alex Bligh

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure