SSH multi factor authentication

Bruce F Bading badingb at us.ibm.com
Fri Jul 8 00:00:28 AEST 2016 

Hi Gentlemen,

Thank you both for your valued opinion.  I do however agree that public key
authentication cannot be fully considered MFA as have 2 PCI QSAs I have
spoken with.  This is because it is not enforceable server side.  Many
things can affect client side security.

It is distributable and not enforceable at a single point.
The key can be regenerated or downloaded again and regenerated to remove
the paraphrase making it single factor authentication.
Keystoke loggers can log the keystrokes to unlock the key and capture it in
band on the client.
RSA and OTP generated by google authenticator w/password authentication can
occur out of band and since enforceable on the server side are much more
difficult to breach.

Again, I want to thank you both for your valued opinion and which everyone
a very great day.

Sincerely,
Bruce F. Bading
Senior Security Consultant

IBM Systems and Technology Group
830-237-6851
badingb at us.ibm.com
member ISACA since 1985


"United We Stand"

For those with risk, your time to remediate is today.
For those who have been breached, your time to remediate was yesterday!



From:	Damien Miller <djm at mindrot.org>
To:	Stephen Harris <lists at spuddy.org>
Cc:	Bruce F Bading/Austin/IBM at IBMUS, openssh-unix-dev at mindrot.org
Date:	07/04/2016 01:04 AM
Subject:	Re: SSH multi factor authentication



On Sun, 3 Jul 2016, Stephen Harris wrote:

> On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> > One, the Google Authenticator (OTP authentication).
>
> On its own, this is not 2FA.  It's single factor ("something you
> have").
>
> A combination of Google Authenticator _and_ password is 2FA.  This is
> easy to do with PAM.

Agreed

> > Two, Public/Private key authentication (pubkeyauthentication = yes)
which
> > supports pass phrase private key authentication.
>
> This is 2FA in that you need the private key and the passphrase for it.

I don't agree - being able to unlock a private key is just part of
"possessing" it.

OTOH publickey+password authentication could be considered 2FA. Ideally
with the key rendered practically uncloneable by holding it on a token,
etc.

-d

More information about the openssh-unix-dev mailing list