two factor authentication

Alon Bar-Lev alon.barlev at gmail.com
Sun Jul 23 04:13:39 EST 2006


jacob martinson wrote:
> Are there any plans on the table to add native support for two-factor
> authentication, such as password *and* public key?
> 
> Visa PCI standards require two-factor authentication for remote access
> and if password+key was available in openssh it would be much easier
> to maintain and support than a full-blown vpn with all the
> cross-platform compatibility issues that come with one.

Well...
This depends on interpretation of what is two factor authentication...

The regular interpretation is "something you have" and "something you know".

"something you have" is usually smartcard device, although using files
for poor people can also be accepted if high security is not needed.

"something you know" is usually a password for a server (when you use one
factor authentication), or password to access the private key on two factor
authentication.

Since private key is stronger than password, there is no real sense in
not protecting the private key it-self using "something you know",
and negotiate remote authentication by the stronger mechanism, which resides
on "something you have".

There is a limited smartcard support in openssh for opensc cards. There is
more generic PKCS#11 support available at external patch at
http://alon.barlev.googlepages.com/openssh-pkcs11

Best Regards,
Alon Bar-Lev.



More information about the openssh-unix-dev mailing list