two factor authentication

Jefferson Ogata Jefferson.Ogata at noaa.gov
Sun Jul 23 11:50:20 EST 2006


On 2006-07-23 01:27, Frank Cusack wrote:
> On July 22, 2006 7:08:59 PM -0500 jacob martinson <martinson.jacob at gmail.com> wrote:
>> On 7/22/06, Frank Cusack <fcusack at fcusack.com> wrote:
>>> On July 22, 2006 12:15:07 PM -0500 jacob martinson <martinson.jacob at gmail.com> wrote:
>>>> Are there any plans on the table to add native support for two-factor
>>>> authentication, such as password *and* public key?
>>> You can already do that.  Public key is itself already 2-factor --
>>> something you know (the pin/passcode) and something you have (the
>>> device on which the public key resides).  Password, via PAM or BSDAUTH,
>>> allows any two factor device the host (server) system supports.
>>>
>> You can?  How can you configure ssh to require both successful
>> password authentication (via the underlying OS password verification
>> mechanisms) and public key auth before the user is allowed onto the
>> system?
> 
> Sorry, I meant you can already do native 2-factor auth via publickey
> or via password alone.

Calling public-key "2-factor" is just spin.

1. You can't force people to put a passphrase on their private key.

2. You can't keep people from storing the key in ssh-agent.

3. If the private key--the actual factor--is compromised, it doesn't
matter if someone originally had a passphrase on it.

The point of multiple factors is to have a backup in case one of the
factors is compromised.

Some time back I wrote a patch to allow sshd to require multiple
authentication passes to succeed, so, e.g. public key could be combined
with s/key to achieve something like two-factor without a smartcard;
here the thing you have is the piece of paper with the one-time
passwords written on it, and if it falls out of your pocket at the
convenience store, it presents no threat by itself because there's a
keypair somewhere that's also needed; conversely if your keypair is
compromised that doesn't give the intruder access to your pocket.

There are other patches out there that are better than my little hack. I
would look into that.

> You are correct, for files on disk.  But publickey can also be used
> with smartcards and via control of authorized_keys or using X.509
> (there's a patch for that) you can restrict to keys known to be
> protected by a pin/passphrase.

How?

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service



More information about the openssh-unix-dev mailing list