SSH multi factor authentication
mouring at eviladmin.org
Sun Jul 10 00:30:57 AEST 2016
Nico Kadel-Garcia wrote:
> On Thu, Jul 7, 2016 at 10:00 AM, Bruce F Bading<badingb at us.ibm.com> wrote:
>> Hi Gentlemen,
>> Thank you both for your valued opinion. I do however agree that public key
>> authentication cannot be fully considered MFA as have 2 PCI QSAs I have
>> spoken with. This is because it is not enforceable server side. Many
>> things can affect client side security.
>> It is distributable and not enforceable at a single point.
>> The key can be regenerated or downloaded again and regenerated to remove
>> the paraphrase making it single factor authentication.
> It's not merely possible. It's popular, and nearly inevitable. And
> unless you can enforce use of a designated public key on the server
> side, for example by breaking ownership checks and making the file and
> directories owned by root with user groupo access, or by
> auto-replacing $HOME/.ssh/authorized_keys, well, the user can replace
> the key at whim with their own insecure key.
You'd do this by either moving the authorized_keys to another a root
owned location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile
/etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand"
and put the keys into a "database" to reference them via a simple
Personally I'd use the AuthorizedKeysCommand for this setup as it would
provide for a better programmatic way of managing keys.
More information about the openssh-unix-dev