Date: Thu, 26 Dec 2013 14:16:06 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: which is better for sudo: ldap accounts or sudo auto via ssh keys? Message-ID: <CAHu1Y73WDSwk4q56b=6h6gZ8nux8xnJ_66LFmeL2r=vbLdPpBw@mail.gmail.com> In-Reply-To: <52BCA7BA.7050200@infracaninophile.co.uk> References: <CACcSE1wxd3fmV%2BxNTpa1LDLS%2Bmausd6vBHX3Yui8KyuU=EwCVQ@mail.gmail.com> <52BCA7BA.7050200@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 26, 2013 at 2:03 PM, Matthew Seaman <
m.seaman@infracaninophile.co.uk> wrote:
> On 26/12/2013 21:02, Aleksandr Miroslav wrote:
> > I have a bunch of servers that I'm trying to tighten down.
> >
> > From a security standpoint, which would be more secure:
> >
> > - having users login from an ldap account and use that same password
> > to authorize themselves to sudo
> >
> >
> > - or do away with passwords entirely and have them login with ssh keys
> > only (easy to do) and then authenticate to sudo with ssh keys (from a
> > search, apparently this is doable). I would also like to enforce that
> > the ssh-keys have passwords on them
>
> ssh keys are the way to go here. In fact, I'd recommend disabling use
> of passwords with ssh entirely, and relying on key based auth.
>
>
The problem with pubkey auth is that it conflates authentication with
authorization - you can avoid this if you centrally manage where sshd looks
for users' pubkeys, but it's still imperfect.
My $0.02 - use multi-factor auth, key-based + TOTP. You can easily
(starting with 9.2) integrate Google Authenticator with pubkey auth for
SSH. You users then see something like this:
msierchio@lada:~ > ssh nardo
Authenticated with partial success.
Verification code:
My /etc/pam.d/sshd contains
auth required /usr/local/lib/pam_google_authenticator.so
secret=/etc/totp/${USER}/.google_authenticator
- M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73WDSwk4q56b=6h6gZ8nux8xnJ_66LFmeL2r=vbLdPpBw>