[Novalug] Google 2-factor auth

Christophe swnpnt@gmail.com
Sat Aug 25 23:13:15 EDT 2012


On Thu, Aug 23, 2012 at 08:05:53PM -0400, James Ewing Cottrell 3rd wrote: > On 8/22/2012 10:22 PM, Christophe wrote:
> > Is there any reason I shouldn't feel good about using Google's PAM
> > authentication module to implement a preauth verification code on my
> > gentoo ssh server? I use the iphone app to get my 6-digit auth code.
> > I already had iptables block all ports except 22, with denyhosts
> > sharing data, and a sentence length password. But, now I feel extra
> > special.
> > _______________________________________________
> > Novalug mailing list
> > Novalug@calypso.tux.org
> > http://calypso.tux.org/mailman/listinfo/novalug
> 
> Why wouldn't you be using ssh-agent for your authentication anyway?
> 
> JIM

ssh-agent requires a key to be at each location from where i
connect from.. i do have a key on my persoal laptop but not on my
company desk; which i especially don't trust. with 2-factor, even if
there is malware on the client-side, and my passphrase is stolen via a
keylogger or some other thing, it's not good enough for access.

2-factor is more secure in the case of the connecting endpoint being
compromised. if there is malware on the connectioning side, it could
capture both the private key and the passphrase to load the key.  this
risk could be reduced by, say, keeping the key on a usb device that's
only connected to load the key, but still, the passphase and the key
both need to be fed in the connecting endpoint.

timebased one-time-passphases eliminate the risk of a compromised end
point completely.. with the proliferation of web-based drive-by attack
vectors floating about and escalations of special agent malware useable,
2-factor is a must, imo.




More information about the Novalug mailing list