[wplug-internet] Two-factor authentication
Justin Smith
justin at adminix.net
Fri Feb 13 08:04:24 EST 2015
What I said about PAM and SSH was a typo. In its original context, I was talking about how Haiku wants to use both SSH keys /and/ OTP (TOTP) and then linked to an article I used as a reference in implementing that. I'm tired, too. I've had to deal with a /lot /of user complaints about silly things at work.
JuiceSSH is proprietary software, and ConnectBot is a dead project. There just isn't a good SSH client for Android, and even if there was, trying to view and execute commands on a tiny screen and virtual keyboard is less than ideal. Even if there was, SSH keys would still be less flexible than OTP because you couldn't hop on /any/ computer and get started.
And that was my whole point: SSH keys are less /flexible/, which makes OTP a bit easier to use in practice since you can log in from any computer. If you want to use JuiceSSH, you can still use it with OTP, /and/ you could hop on a public computer and log in from there as well. You can't do that with SSH keys. They aren't hard; they just aren't as flexible.
Using Google Authenticator and iOS as an example of the potential problems with OTP really isn't the best choice since it's not what our typical usage would be, but for argument's sake, let's assume that it applies. Recovering is as simple as re-entering the appropriate "secret" value. We would have had to send the original recipient his secret somehow, right?
Since a user generates his own SSH keys, it's conceivable that he might lose his SSH key - say, through a hard drive failure - and not have a backup. In that case, we'd have to delete the old key from the VPS and add a new one. If someone's OTP client got borked and he /didn't/ have the original communication, recovering wouldn't be any more difficult than that; we'd just need to pull up /etc/users.oath and send him the "secret" again.
But honestly, if this is all the attention this discussion is going to attract, it's pretty obvious that support for implementing any sort of two-factor authentication is lukewarm at best, and we're probably just wasting bits talking about it.
--
*Justin Smith*
GNU/Linux System Administrator
/"Nothing in this world can take the place of persistence. Talent will not; nothing is more common than unsuccessful people with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts."/
/-Calvin Coolidge/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.wplug.org/pipermail/wplug-internet/attachments/20150213/5e596430/attachment.html>
More information about the wplug-internet
mailing list