two factor authentication

Jefferson Ogata Jefferson.Ogata at noaa.gov
Tue Jul 25 06:57:32 EST 2006 

On 2006-07-24 20:38, Frank Cusack wrote:
> On July 23, 2006 8:57:21 AM +0000 Jefferson Ogata <Jefferson.Ogata at noaa.gov> wrote:
>> But you appear to be playing word games with respect to two-factor
>> authentication. A management entity that says, "you must use two-factor
>> auth" won't be charmed by your fancy footwork--if you convince them that
>> public keys with smartcards is two-factor auth, they'll say, "fine, then
>> you have to do three-factor auth".
> 
> Don't make me laugh.  A "management entity" is likely only to be concerned
> about 2-factor auth because of input from internal IT (and then just as
> likely to be ignored as not) or from a 3rd-party audit, not because of
> experience with what 2-factor means and what it achieves.

Well, I'm guessing you haven't read this:

    http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

"... recommending all departments and agencies take the following
actions: ... Allow remote access only with two-factor authentication
where one of the factors is provided by a device separate from the
computer gaining access."

For the US federal government in general, which has to implement these
recommendations, this is clearly not the result of input from "internal
IT". It's a decree from the White House--the supreme US government
management entity--largely in reaction to the VA laptop debacle.

> I do disagree with you on whether or not a smartcard is 2 factor ... ok
> techically yes, if you can get the key out of it, then the other factor
> is just shine, but at what cost?  For the typical threat that has to be
> protected against, a smartcard is sufficiently 2-factor.

Well, I was actually provisionally agreeing with you that with a
smartcard from which the key is not directly accessible, yes you may
arguably have two factors. But I don't think the White House will
consider it so.

>> The real question that it would be nice to see answered is how to get
>> sshd to do n-factor authentication, rather than quibbling over how many
>> factors are involved in some particular authentication strategy. This
>> would be addressing the spirit of the original question, not trying to
>> use semantics to get out of solving the problem.
> 
> I answered that twice: PAM/BSDAUTH with the correct backends, or publickey
> with smartcards.  And to repeat myself, in the case where you can't change
> sshd (say sshd on a router) then as long as you can do RADIUS you can
> generally get multifactor auth via OTP tokens.  I'm quite surprised that
> you would misread the smartcard part of my answer as trying to wrangle out
> of the question.

I read it that way because instead of saying, "no, there's nothing
native in sshd but there are ways to force sshd to pass authentication
to other modules which may do multiple factors," you asserted that
pubkey was already 2-factor.

> It seems quite obvious how to have sshd do n-factor authentication in the
> way the OP suggested: modify the code to require this.  I believe there
> are already patches out there to do just that.  I suggested ways to do
> this without requiring changes to sshd.

And the patches were what I was drawing attention to. But since sshd is
largely about strong authentication, it would be nice to see it natively
support per-user configuration of multiple required authentication methods.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list