SSH multi factor authentication
Damien Miller
djm at mindrot.org
Mon Jul 4 16:04:23 AEST 2016
On Sun, 3 Jul 2016, Stephen Harris wrote:
> On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> > One, the Google Authenticator (OTP authentication).
>
> On its own, this is not 2FA. It's single factor ("something you
> have").
>
> A combination of Google Authenticator _and_ password is 2FA. This is
> easy to do with PAM.
Agreed
> > Two, Public/Private key authentication (pubkeyauthentication = yes) which
> > supports pass phrase private key authentication.
>
> This is 2FA in that you need the private key and the passphrase for it.
I don't agree - being able to unlock a private key is just part of
"possessing" it.
OTOH publickey+password authentication could be considered 2FA. Ideally
with the key rendered practically uncloneable by holding it on a token, etc.
-d
More information about the openssh-unix-dev
mailing list