[wplug-internet] Two-factor authentication

John Lewis oflameo2 at gmail.com
Thu Feb 12 18:38:22 EST 2015 

I just found juicessh for Android.
http://android.appkop.com/juicessh-ssh-client-202-129792.html

My companies Systems Engineer says he uses ConnectBot
https://play.google.com/store/apps/details?id=org.connectbot

Have you tried either of those to manage your keys?


What is your problem with the public knowing about the details of
security? I thought you believed in open information. If we are as close
to being compromised as you say we are, then the system crackers
wouldn't care about what information we have on out mailing list as long
as we aren't just posting all of our passwords.


I just find the claim that ssh keys being too hard to use to be a tall
claim to prove. I am going to need more evidence before I can believe
such a claim. Your previous claim that OTP authentication needed the
same modifications to the PAM config to work as the changes needed for
SSH keys to work has been disprove because the PAM config needed no
modification to support SSH keys. The second factor needed to
authenticate decrypt an ssh key is client side only so it  would be
extremely difficult to man in the middle that. I am wondering if we need
an ssh refresher course or something.


I am also worried about the fragility of the two factor authentication
software. For example a Google authenticator update locked people out of
their accounts.
http://techcrunch.com/2013/09/04/dont-install-the-google-authenticator-for-ios-update-unless-you-want-your-stored-user-accounts-wiped/.


So far you have been pretty vague about what you want to implement. Do
you want to implement Hashed Message Authentication Code based One Time
Password or Time-based One Time Password? For anyone else who wishes to
be informed, I recommend reading this https://lwn.net/Articles/470764/.

Remember, anyone who wants two factor authentication right now already
has the option in ssh keys. Here is a nice thread on serverfault about
it
http://serverfault.com/questions/2429/how-do-you-setup-ssh-to-authenticate-using-keys-instead-of-a-username-password#2436.




On 02/12/2015 05:18 PM, Justin Smith wrote:
> There aren't any smartphone apps that manage SSH keys - at least, not on Android. You can put your private key on your smartphone's storage partition, if it supports that, but you'd also have to carry around a USB cable and hope that whatever computer you want to connect from doesn't require a particular driver or package to be installed in order to recognize the smartphone's storage partition.
>
> For instance, in order to get my laptop to recognize my OnePlus One, I had to install an additional package. On Windows, I'd probably have to install an additional driver. That just isn't possible on a public computer.
>
> So basically, OTP requires administrative work but is more flexible for end-users, while SSH keys are easy from an administrative perspective but are less flexible for end-users. The ease of use for end-users is probably why OTP products like Authy and Google Authenticator have become so popular methods of two-factor authentication.
>
> If you want to know why I'm concerned about information security, re-read my initial email. There are a lot of high-profile information breaches in the news these days. These breaches have two things in common: relatively lax security and information stored in cleartext.
>
> I won't go into details about this on a public mailing list, but our current setup isn't much better than that. I certainly wouldn't want to be the one to have to contact the people in our membership file to explain that someone broke into our server and has their personal information. It would be an embarrassment.
>
> I also think improved security is good from a manpower perspective. The less chance there is of user accounts being compromised - wheel accounts in particular - the less potential there is that we'll suffer a serious security breach, and the less potential problems we'll have to deal with.
>
>
> *Justin Smith*
> GNU/Linux System Administrator
>
> /"Nothing in this world can take the place of persistence. Talent will not; nothing is more common than unsuccessful people with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts."/
>
> /-Calvin Coolidge/
>
>
>
> _______________________________________________
> wplug-internet mailing list
> wplug-internet at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug-internet

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wplug.org/pipermail/wplug-internet/attachments/20150212/13737758/attachment.html>

More information about the wplug-internet mailing list