Re: two factor authentication

On July 22, 2006 7:08:59 PM -0500 jacob martinson <martinson.jacob@gmail.com> wrote:
> On 7/22/06, Frank Cusack <fcusack@fcusack.com> wrote:
>> On July 22, 2006 12:15:07 PM -0500 jacob martinson <martinson.jacob@gmail.com> wrote:
>> > Are there any plans on the table to add native support for two-factor
>> > authentication, such as password *and* public key?
>>
>> You can already do that. Public key is itself already 2-factor --
>> something you know (the pin/passcode) and something you have (the
>> device on which the public key resides). Password, via PAM or BSDAUTH,
>> allows any two factor device the host (server) system supports.
>>
>
> You can? How can you configure ssh to require both successful
> password authentication (via the underlying OS password verification
> mechanisms) and public key auth before the user is allowed onto the
> system?

Sorry, I meant you can already do native 2-factor auth via publickey
or via password alone.

> Public key is only single factor. All you need to know to
> authenticate is the private key. There is no way to enforce
> passphrase protection of the private from the server's perspective so
> - unless I'm missing something - that isn't two-factor.

You are correct, for files on disk. But publickey can also be used
with smartcards and via control of authorized_keys or using X.509
(there's a patch for that) you can restrict to keys known to be
protected by a pin/passphrase.

Or if the environment is small enough and you can trust your users
to have good passphrases you can probably claim 2-factor. The server
doesn't enforce that but your policy can. (in limited cases)

-frank
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev