SSH multi factor authentication
Stephen Harris
lists at spuddy.org
Mon Jul 4 12:53:37 AEST 2016
On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> One, the Google Authenticator (OTP authentication).
On its own, this is not 2FA. It's single factor ("something you
have").
A combination of Google Authenticator _and_ password is 2FA. This is
easy to do with PAM.
> Two, Public/Private key authentication (pubkeyauthentication = yes) which
> supports pass phrase private key authentication.
This is 2FA in that you need the private key and the passphrase for it.
Unfortunately this can't be enforced at the server; it's client side.
That's because the client could _remove_ the passphrase and reduce
it to "something you have". The server can't tell the difference.
So, from a controls perspective, you have to assume "single factor".
--
rgds
Stephen
More information about the openssh-unix-dev
mailing list