Does a known security issue allow ssh login via system accounts?
Brian Candler
b.candler at pobox.com
Tue Mar 8 04:29:17 AEDT 2022
On 07/03/2022 16:38, Michael Ströder wrote:
> libpam-google-auth and other similar PAM modules require to store the
> token's shared secrets on the server. If your system gets hacked and
> shared secrets are stolen the attacker can generate an arbitrary
> amount of valid OTP values. And if you use the same shared secrets on
> multiple servers the security impact will be broad.
>
> => Don't use that.
That's a nice thing about pam_yubico with real Yubikeys: they can be
validated against the Yubico cloud API, without any local secrets.
I have also experimentally got TOTP validation working against a
Hashicorp Vault server: https://github.com/candlerb/vault-totp-helper
(I would be interested in having extra eyes on this)
More information about the openssh-unix-dev
mailing list