[wplug-internet] Two-factor authentication

[Justin Smith]

I had an interesting discussion with Pat on IRC yesterday about OTP versus 
SSH keys. Both measures provide additional protection beyond what a 
password can provide. OTP is more complex to implement but gives the 
ability to log in from any computer with minimal effort, while SSH keys are 
simpler to implement but requires the user to tote around the SSH key, 
which can be a pain.

It isn't necessarily that I'm entirely sold on OTP for WPLUG; however, having 
read about so many security failures in the news recently, I feel it would be 
wise to consider implementing additional security, if practical, to ensure 
that people's private information stays private. 

Given the choice, I'd prefer OTP to SSH keys, and Pat said yesterday that 
feels similarly. However, requiring SSH keys for certain user accounts, as 
Vance suggested, would be a good alternative. We could also consider 
encryption as John suggested.

As an interesting side note, Haiku is interested in using both SSH keys 
/and/ OTP. That's far outside the scope of our security requirements, but 
it's interesting to note that it can be done if you follow steps similar to the 
ones described in this article[1].

Google Authenticator is proprietary software, so I certainly don't 
recommend using it, but the changes to the sshd config file and PAM file 
are the same to get PAM to play nice with SSH keys.


*Justin Smith*
GNU/Linux System Administrator

/"Nothing in this world can take the place of persistence. Talent will not; 
nothing is more common than unsuccessful people with talent. Genius will 
not; unrewarded genius is almost a proverb. Education will not; the world is 
full of educated derelicts."/

/-Calvin Coolidge/

--------
[1] http://delyan.me/securing-ssh-with-totp/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wplug.org/pipermail/wplug-internet/attachments/20150211/82cb7b76/attachment-0001.html>