<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I just found juicessh for Android.
<a class="moz-txt-link-freetext" href="http://android.appkop.com/juicessh-ssh-client-202-129792.html">http://android.appkop.com/juicessh-ssh-client-202-129792.html</a><br>
<br>
My companies Systems Engineer says he uses ConnectBot<br>
<a class="moz-txt-link-freetext" href="https://play.google.com/store/apps/details?id=org.connectbot">https://play.google.com/store/apps/details?id=org.connectbot</a><br>
<br>
Have you tried either of those to manage your keys?<br>
<br>
<br>
What is your problem with the public knowing about the details of
security? I thought you believed in open information. If we are as
close to being compromised as you say we are, then the system
crackers wouldn't care about what information we have on out mailing
list as long as we aren't just posting all of our passwords. <br>
<br>
<br>
I just find the claim that ssh keys being too hard to use to be a
tall claim to prove. I am going to need more evidence before I can
believe such a claim. Your previous claim that OTP authentication
needed the same modifications to the PAM config to work as the
changes needed for SSH keys to work has been disprove because the
PAM config needed no modification to support SSH keys. The second
factor needed to authenticate decrypt an ssh key is client side only
so it would be extremely difficult to man in the middle that. I am
wondering if we need an ssh refresher course or something.<br>
<br>
<br>
I am also worried about the fragility of the two factor
authentication software. For example a Google authenticator update
locked people out of their accounts.
<a class="moz-txt-link-freetext" href="http://techcrunch.com/2013/09/04/dont-install-the-google-authenticator-for-ios-update-unless-you-want-your-stored-user-accounts-wiped/">http://techcrunch.com/2013/09/04/dont-install-the-google-authenticator-for-ios-update-unless-you-want-your-stored-user-accounts-wiped/</a>.<br>
<br>
<br>
So far you have been pretty vague about what you want to implement.
Do you want to implement Hashed Message Authentication Code based
One Time Password or Time-based One Time Password? For anyone else
who wishes to be informed, I recommend reading this
<a class="moz-txt-link-freetext" href="https://lwn.net/Articles/470764/">https://lwn.net/Articles/470764/</a>.<br>
<br>
Remember, anyone who wants two factor authentication right now
already has the option in ssh keys. Here is a nice thread on
serverfault about it
<a class="moz-txt-link-freetext" href="http://serverfault.com/questions/2429/how-do-you-setup-ssh-to-authenticate-using-keys-instead-of-a-username-password#2436">http://serverfault.com/questions/2429/how-do-you-setup-ssh-to-authenticate-using-keys-instead-of-a-username-password#2436</a>.
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/12/2015 05:18 PM, Justin Smith
wrote:<br>
</div>
<blockquote cite="mid:1919046.RuLcPiv3c4@percivale.site" type="cite">
<pre wrap="">There aren't any smartphone apps that manage SSH keys - at least, not on Android. You can put your private key on your smartphone's storage partition, if it supports that, but you'd also have to carry around a USB cable and hope that whatever computer you want to connect from doesn't require a particular driver or package to be installed in order to recognize the smartphone's storage partition.
For instance, in order to get my laptop to recognize my OnePlus One, I had to install an additional package. On Windows, I'd probably have to install an additional driver. That just isn't possible on a public computer.
So basically, OTP requires administrative work but is more flexible for end-users, while SSH keys are easy from an administrative perspective but are less flexible for end-users. The ease of use for end-users is probably why OTP products like Authy and Google Authenticator have become so popular methods of two-factor authentication.
If you want to know why I'm concerned about information security, re-read my initial email. There are a lot of high-profile information breaches in the news these days. These breaches have two things in common: relatively lax security and information stored in cleartext.
I won't go into details about this on a public mailing list, but our current setup isn't much better than that. I certainly wouldn't want to be the one to have to contact the people in our membership file to explain that someone broke into our server and has their personal information. It would be an embarrassment.
I also think improved security is good from a manpower perspective. The less chance there is of user accounts being compromised - wheel accounts in particular - the less potential there is that we'll suffer a serious security breach, and the less potential problems we'll have to deal with.
*Justin Smith*
GNU/Linux System Administrator
/"Nothing in this world can take the place of persistence. Talent will not; nothing is more common than unsuccessful people with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts."/
/-Calvin Coolidge/
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
wplug-internet mailing list
<a class="moz-txt-link-abbreviated" href="mailto:wplug-internet@wplug.org">wplug-internet@wplug.org</a>
<a class="moz-txt-link-freetext" href="http://www.wplug.org/mailman/listinfo/wplug-internet">http://www.wplug.org/mailman/listinfo/wplug-internet</a>
</pre>
</blockquote>
<br>
</body>
</html>