two factor authentication
Frank Cusack
fcusack at fcusack.com
Sun Jul 23 09:43:50 EST 2006
On July 22, 2006 12:15:07 PM -0500 jacob martinson <martinson.jacob at gmail.com> wrote:
> Are there any plans on the table to add native support for two-factor
> authentication, such as password *and* public key?
You can already do that. Public key is itself already 2-factor --
something you know (the pin/passcode) and something you have (the
device on which the public key resides). Password, via PAM or BSDAUTH,
allows any two factor device the host (server) system supports.
> Visa PCI standards require two-factor authentication for remote access
> and if password+key was available in openssh it would be much easier
> to maintain and support than a full-blown vpn with all the
> cross-platform compatibility issues that come with one.
Well, requiring 2 *types* of authentication may not fulfill a 2-factor
authentication requirement, at least not the intent. You are clearly
trying to do away with a hardware token requirement (otherwise the
hardward token alone is enough for 2-factor), so having a software
public key is likely to be either protected by the same password as
used for the password part of the authentication, or not protected
at all. So if I obtained the password, for sure I would need at
least temporary access to the client system to obtain the public key,
but once that was achieved, I have the public key and that's that.
Note the difference between "real" 2-factor auth, where temporary
access to the device only gives me temporary access to the server
(assuming the passcode/pin is already known).
If we don't include windows, then it's pretty easy to deploy a token-
based 2-factor system; all modern unices and network devices will work
with either pam/bsdauth or radius and give you pretty easy to deploy
2-factor auth.
If your reason to require password + public key is to avoid some
implementation cost while meeting Visa standards, I suggest you consider
that an audit (say post-compromise) will reveal that your method is
really only 2-factor in name (given typical user behavior). The cost
of deploying a cross-platform token solution is pretty low.
If you got down this far, check out www.tri-dsystems.com (full
disclosure: they are my employer) for 2- and 3-factor solutions.
-frank
More information about the openssh-unix-dev
mailing list