Re: two factor authentication
This is a discussion on Re: two factor authentication within the OpenSSH Development forums, part of the Networking and Network Related category; On July 22, 2006 12:15:07 PM -0500 jacob martinson <martinson.jacob@gmail.com> wrote: > Are ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-23-2006
|
|||
|
|||
Re: two factor authentication
On July 22, 2006 12:15:07 PM -0500 jacob martinson <martinson.jacob@gmail.com> wrote:
> Are there any plans on the table to add native support for two-factor > authentication, such as password *and* public key? You can already do that. Public key is itself already 2-factor -- something you know (the pin/passcode) and something you have (the device on which the public key resides). Password, via PAM or BSDAUTH, allows any two factor device the host (server) system supports. > Visa PCI standards require two-factor authentication for remote access > and if password+key was available in openssh it would be much easier > to maintain and support than a full-blown vpn with all the > cross-platform compatibility issues that come with one. Well, requiring 2 *types* of authentication may not fulfill a 2-factor authentication requirement, at least not the intent. You are clearly trying to do away with a hardware token requirement (otherwise the hardward token alone is enough for 2-factor), so having a software public key is likely to be either protected by the same password as used for the password part of the authentication, or not protected at all. So if I obtained the password, for sure I would need at least temporary access to the client system to obtain the public key, but once that was achieved, I have the public key and that's that. Note the difference between "real" 2-factor auth, where temporary access to the device only gives me temporary access to the server (assuming the passcode/pin is already known). If we don't include windows, then it's pretty easy to deploy a token- based 2-factor system; all modern unices and network devices will work with either pam/bsdauth or radius and give you pretty easy to deploy 2-factor auth. If your reason to require password + public key is to avoid some implementation cost while meeting Visa standards, I suggest you consider that an audit (say post-compromise) will reveal that your method is really only 2-factor in name (given typical user behavior). The cost of deploying a cross-platform token solution is pretty low. If you got down this far, check out www.tri-dsystems.com (full disclosure: they are my employer) for 2- and 3-factor solutions. -frank _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://lists.mindrot.org/mailman/lis...enssh-unix-dev 
|
Linear Mode
