From owner-freebsd-questions@freebsd.org Thu Oct 1 19:52:30 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B82B6A0D430 for ; Thu, 1 Oct 2015 19:52:30 +0000 (UTC) (envelope-from joji@eskimo.com) Received: from mail.eskimo.com (mail.eskimo.com [204.122.16.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9360C1A32 for ; Thu, 1 Oct 2015 19:52:30 +0000 (UTC) (envelope-from joji@eskimo.com) Received: from shellx.eskimo.com (shellx.eskimo.com [204.122.16.2]) by mail.eskimo.com (Postfix) with ESMTP id EDAD91A3E; Thu, 1 Oct 2015 12:46:55 -0700 (PDT) Received: by shellx.eskimo.com (Postfix, from userid 51518) id A8FDF44F; Thu, 1 Oct 2015 12:46:55 -0700 (PDT) Date: Thu, 1 Oct 2015 12:46:55 -0700 From: Joseph Olatt To: Christopher Hilton Cc: Matt Smith , Ian Smith , freebsd-questions@freebsd.org Subject: Re: Protecting sshd - Was: SSHguard & IPFW Message-ID: <20151001194655.GA15842@eskimo.com> References: <20151001033001.R67283@sola.nimnet.asn.au> <20151001173313.T67283@sola.nimnet.asn.au> <20151001164935.GA1268@hadar.local> <20151001183530.GE15788@xtaz.uk> <9FCF0A95-1BB7-4660-B9BB-A897CC5ABE27@vindaloo.com> <32928E48-763C-4A0E-BC4D-6645C98EEE93@vindaloo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32928E48-763C-4A0E-BC4D-6645C98EEE93@vindaloo.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.98.7 at mail.eskimo.com X-Virus-Status: Clean X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 19:52:30 -0000 On Thu, Oct 01, 2015 at 03:11:35PM -0400, Christopher Hilton wrote: > On Oct 1, 2015, at 3:08 PM, Christopher Hilton wrote: > > > >> There are two ports which provide a pam module which is very handy for adding two factor authentication to ssh. security/oath-toolkit is the one I use but there is also security/pam_google_authenticator. With one of these you can add a line to /etc/pam.d/sshd and use an app on your phone which supports HOTP/TOTP, I personally use the Google Authenticator app. You generate a secret and scan it into the phone with a QR code and it shows a 6 digit number which changes every 30 seconds. > >> > >> Then if you log in to ssh with a certificate it works like normal. If you log in to ssh with a password then it *also* asks for the latest code from your phone in addition to the password. Hugely more secure as even if somebody on the internet knows your password, it's highly unlikely they will also know the code currently displayed on your phone. > > > > I would add that to my bag of tricks and consider it worlds more secure than sshd with only passwords. Is this the same Authenticator App that Google uses for two factor? I???m not sure where I would put it on the spectrum between Passwords Alone and Ssh-Keys Alone but it would be far enough along on the More Secure side that I would trust it. > > > > Duh, you could just read the email rather than skimming it and make a smart assumption from the name "security/pam_google_authenticator". :-) Many years ago, I grew concerned about network bandwidth usage and system resource utilization due to brute force attacks. My servers were getting pounded 24x7. So, I put together a simple Two-Factor Authentication system. The system was built for my FreeBSD servers and supports the following: (a) VPN (OpenVPN) (b) SSH (c) Web Single Sign-on (WSSO) It works as follows: (1) User makes request for account. Manager/supervisor approves account. Has option to specify expiration date. User also chooses password at this time (first factor; something the user knows). (2) System will build a HTML file for user. In it is embedded a GPG block that contains the login and expiration date. This is the second factor (something the user has) (3) When the user wants to VPN, SSH or WSSO, the user double-clicks (or opens the HTML in browser) and enters his/her password. The GPG block and password are sent to web server via HTTPS. The HTML file can be placed on devices the user uses (laptop, desktop, phone, etc.) or on a USB thumb drive. (4) For SSH the system adds the user's IP to a PF table; For WSSO, a secure cookie is created; For VPN, a one-time password is displayed on the browser and IP is added to PF and a DB entry created by a custom PAM module that OpenVPN talks to during authentication. I had open-sourced the entire code and put it on SourceForge.net. The system was called Taferno (see: http://taferno.com). I have not pushed updates to the code to SourceForge in a long time. If there is interest, I will. I still use the system on my servers and hence updates have been made. The system is written in C++ (to use the GPGME libraries at that time) and some PERL. I don't have a FreeBSD port made yet. There are probably more elegent solutions available today. (SSHGuard, Google Authenticator, OTP Smart Phone apps, etc.)... When the Subject of this thread changed to "Protecting sshd", I thought I'd share what I had done.