Date: Thu, 1 Oct 2015 15:11:35 -0400 From: Christopher Hilton <chris@vindaloo.com> To: Matt Smith <fbsd@xtaz.co.uk> Cc: Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org Subject: Re: Protecting sshd - Was: SSHguard & IPFW Message-ID: <32928E48-763C-4A0E-BC4D-6645C98EEE93@vindaloo.com> In-Reply-To: <9FCF0A95-1BB7-4660-B9BB-A897CC5ABE27@vindaloo.com> References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org> <20151001033001.R67283@sola.nimnet.asn.au> <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX%2Bk35%2BP1%2BzwbDMJw9T2Jw@mail.gmail.com> <20151001173313.T67283@sola.nimnet.asn.au> <20151001164935.GA1268@hadar.local> <20151001183530.GE15788@xtaz.uk> <9FCF0A95-1BB7-4660-B9BB-A897CC5ABE27@vindaloo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_51810E7E-C9EB-4C80-A007-7DEDCAADE397
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
On Oct 1, 2015, at 3:08 PM, Christopher Hilton <chris@vindaloo.com> =
wrote:
>=20
>> There are two ports which provide a pam module which is very handy =
for adding two factor authentication to ssh. security/oath-toolkit is =
the one I use but there is also security/pam_google_authenticator. With =
one of these you can add a line to /etc/pam.d/sshd and use an app on =
your phone which supports HOTP/TOTP, I personally use the Google =
Authenticator app. You generate a secret and scan it into the phone with =
a QR code and it shows a 6 digit number which changes every 30 seconds.
>>=20
>> Then if you log in to ssh with a certificate it works like normal. If =
you log in to ssh with a password then it *also* asks for the latest =
code from your phone in addition to the password. Hugely more secure as =
even if somebody on the internet knows your password, it's highly =
unlikely they will also know the code currently displayed on your phone.
>=20
> I would add that to my bag of tricks and consider it worlds more =
secure than sshd with only passwords. Is this the same Authenticator App =
that Google uses for two factor? I=E2=80=99m not sure where I would put =
it on the spectrum between Passwords Alone and Ssh-Keys Alone but it =
would be far enough along on the More Secure side that I would trust it.
>=20
Duh, you could just read the email rather than skimming it and make a =
smart assumption from the name "security/pam_google_authenticator". :-)
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
--Apple-Mail=_51810E7E-C9EB-4C80-A007-7DEDCAADE397
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDYVnAAoJEE2ar4QHIpj4HTUP/2RCmrBV3Vm6V6gCbJaXOnVv
Ax6D7IOyTeUvyD36iLyWY+gqdkNj1mvrL+f94RucEMdbz+ZASnjCa2+RguDVZ0pD
SoTB2+1/Rxq6vuWhAduNEuMP3uipthMv+QyAf+S5Bmsubi3ijs8jyNvzsVo7jYjo
xHAdZxbfWYoDMMrB93avLaUc3nqGvzmEGe5Omu16Jd3zpx6L1xYr/qagcDvLqma2
r+UZClQeKEA9mFlUHjgjR1qWqzQpiUcLH1PWpMEluEEYSbmMOjUfpaY2+SwLuKgz
ybSCQWyhvEahVnGU+wCaorulcuxA4uz39DsRNc2aQ3yjdxLiAcDtGQOF8M4b/k30
Nwyf+NHkiwtn3axKpY6Ie1melcpauT7PxZggNJTDd3zEnTwnnUNZUfU7lhZxxO8X
u0ZRpgFlWpCyM/C9TDcJJkBnyR3IkxKcKjKeMZXojv6tfiHW9N6QwLPV9aaYXUPh
WNQMHqmhW/ZQUViLfXEhCQ53zpXyp5YNDLmNf41Hkz7bfMIfJBLSLkAm2wNdlKMu
3WvQ6YWUmvxE5AOKN1ClcZyo4IQYa2CBcvC8L4Y8GjybISjpdDzfJ083NjRWwz0k
+X/LOQX7wZ4vppaoohuaAAaOm7ypGWTIJ1ZBEUPeW+ARKhI+M0jKlHkawhFg6Fk6
I/8k4q9SK1qWOWNi8WWu
=EsJc
-----END PGP SIGNATURE-----
--Apple-Mail=_51810E7E-C9EB-4C80-A007-7DEDCAADE397--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32928E48-763C-4A0E-BC4D-6645C98EEE93>