Re: [CentOS] 2way authentication for SSH?
On 01/30/2013 09:44 AM, SilverTip257 wrote: On Wed, Jan 30, 2013 at 8:40 AM, Nux! n...@li.nux.ro wrote: On 28.01.2013 13:07, SilverTip257 wrote: Google Auth http://www.noktec.be/archives/1351 http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392 http://prasys.info/2012/10/two-way-authentication-for-wordpress/ How can one be concerned with security AND put his login at the mercy of google (or any other 3rd party)?? That's a good point to question. I was in no way endorsing that one should use Google's Auth services. (Just that it exists and has been written about numerous times.) Personally I do not use it now and would not use it for any systems that need to be secure. Which pretty much means unless I can run the auth daemons on a server I control, I won't be using it. after seeing this thread, i looked at the google auth stuff since i had been using that with dropbox and happy so far with it. google is not in the auth chain at all. what they have done is take a standard algorithm for time based keys and made an android app and pam module that work together to allow for two factor auth. basically you are creating a shared secret that is combined with a timestamp and that computed value is used to confirm that the user authenticating knows that shared secret. very similar to the rsa fobs, but all done with open software. and yes, it is only as secure as your file storage is on the server being connected to because each users' shared secret is stored in their home folder. if you add the epel repo, it is available from them. tweak your ssh config to allow challenge/response and pam to require google auth and then each user creates their own secret. because of how ssh works, this only happens if you don't have a keypair in place, so it lets you fall back to password combined with the auth token. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Rudi Ahlers Sent: Monday, January 28, 2013 8:52 AM To: CentOS Subject: [CentOS] 2way authentication for SSH? Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. -Original Message- Is it really 2way (as in mutual) authentication or 2factor authentication? Mutual authentication is normally done with ssl (server + client) certificates. Most http engines (apache, tomcat) do support them. For two factor (have, know) authentication some assembly is required, at least for openssh. See: http://roumenpetrov.info/openssh/ Generally speaking, you _do_ want a trusted third party (like a CA) and certainly _not_ another additional unreliable man-in-the-middle. I mean: like google. But should I trust them with regards to security and availability??? HW __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
I use Duo Security (http://www.duosecurity.com) and recommend it. On Mon, Jan 28, 2013 at 5:51 AM, Rudi Ahlers r...@softdux.com wrote: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Cell: 082 554 7532 Fax: 086 268 8492 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Carlos Eduardo Pedroza Santiviago -- http://softwarelivre.net ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On 28.01.2013 13:07, SilverTip257 wrote: Google Auth http://www.noktec.be/archives/1351 http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392 http://prasys.info/2012/10/two-way-authentication-for-wordpress/ How can one be concerned with security AND put his login at the mercy of google (or any other 3rd party)?? -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On 01/30/2013 08:40 AM, Nux! wrote: On 28.01.2013 13:07, SilverTip257 wrote: Google Auth http://www.noktec.be/archives/1351 http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392 http://prasys.info/2012/10/two-way-authentication-for-wordpress/ How can one be concerned with security AND put his login at the mercy of google (or any other 3rd party)?? It depends on what the 3rd party is doing. In the case of PKI, the 3rd party is providing an attestation service. This is normally good, and presents little risk to the user(s). Exposure to tracking usage would be if OCSP (online cert checking, I suspect I got the wrong letters here) is used. In the case of federated password identities and things like SAML and JSON, security CAN be good, but tracking is high. Disclaimer: I am in the 3rd party authentication business. I am involved with Verizon's UIS (do a Google search on it :) ) and PKI. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On Wed, Jan 30, 2013 at 8:40 AM, Nux! n...@li.nux.ro wrote: On 28.01.2013 13:07, SilverTip257 wrote: Google Auth http://www.noktec.be/archives/1351 http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392 http://prasys.info/2012/10/two-way-authentication-for-wordpress/ How can one be concerned with security AND put his login at the mercy of google (or any other 3rd party)?? That's a good point to question. I was in no way endorsing that one should use Google's Auth services. (Just that it exists and has been written about numerous times.) Personally I do not use it now and would not use it for any systems that need to be secure. Which pretty much means unless I can run the auth daemons on a server I control, I won't be using it. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
Am 28.01.2013 08:51, schrieb Rudi Ahlers: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. You may check LinOTP http://www.linotp.org/index.php/about Don't know your business case, but maybe even the commercially supported variant may be of interest for you. Regards Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
you can use openotp which is free upto 25 users. http://www.rcdevs.com/products/openotp/ On Mon, Jan 28, 2013 at 1:37 PM, Alexander Dalloz ad+li...@uni-x.orgwrote: Am 28.01.2013 08:51, schrieb Rudi Ahlers: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. You may check LinOTP http://www.linotp.org/index.php/about Don't know your business case, but maybe even the commercially supported variant may be of interest for you. Regards Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On Mon, Jan 28, 2013 at 10:07 AM, Alexander Dalloz ad+li...@uni-x.orgwrote: Am 28.01.2013 08:51, schrieb Rudi Ahlers: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. You may check LinOTP http://www.linotp.org/index.php/about Don't know your business case, but maybe even the commercially supported variant may be of interest for you. Regards Alexander Thank you Alexander. Do you know of any such product which doesn't need LDAP? I've never worked with LDAP and don't really want to spend time to learn it now. -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Cell: 082 554 7532 Fax: 086 268 8492 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
2013/1/28 Rudi Ahlers r...@softdux.com: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? http://www.rcdevs.com/products/openotp/ with http://www.yubico.com/products/yubikey-hardware/yubikey/ is good solution. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
Thank you Alexander. Do you know of any such product which doesn't need LDAP? I've never worked with LDAP and don't really want to spend time to learn it now. Would require a bit of work to make it 'universal' but for anything that can use PAM there's google authenticator... http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
2013/1/28 James Hogarth james.hoga...@gmail.com: Thank you Alexander. Do you know of any such product which doesn't need LDAP? I've never worked with LDAP and don't really want to spend time to learn it now. Would require a bit of work to make it 'universal' but for anything that can use PAM there's google authenticator... http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos http://motp.sourceforge.net/ works without ldap. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
Google authenticator? http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ -- Diego - Yo no soy paranoico! (pero que me siguen, me siguen) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On Mon, Jan 28, 2013 at 3:55 AM, James Hogarth james.hoga...@gmail.comwrote: Thank you Alexander. Do you know of any such product which doesn't need LDAP? I've never worked with LDAP and don't really want to spend time to learn it now. Would require a bit of work to make it 'universal' but for anything that can use PAM there's google authenticator... http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ Google Auth http://www.noktec.be/archives/1351 http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392 http://prasys.info/2012/10/two-way-authentication-for-wordpress/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On 01/28/2013 02:51 AM, Rudi Ahlers wrote: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. As you can see by the responses, there is no 'universal' plugin. The whole arena of authentication is plagued with bootstrapping challenges, security flaws, and complexity (like JSON). I am the author of one of the alternatives (HIP), and my recommendation is just choose your poison. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2way authentication for SSH?
On Mon, Jan 28, 2013 at 3:35 PM, Robert Moskowitz r...@htt-consult.comwrote: On 01/28/2013 02:51 AM, Rudi Ahlers wrote: Hi, Does anyone know of a stable / working 2way authentication system for SSH, and even web authentication services? Most of the banks in South Africa have a system that, when you want to make a payment, they send you an SMS and you need to verify the action with a secret code which was SMS'd to you. gmail also has this. Does anyone know of a universal plugin / application that can be used with SSH and even websites like Wordpress / Joolma / Webmin / etc? Any pointer would be appreciated. As you can see by the responses, there is no 'universal' plugin. The whole arena of authentication is plagued with bootstrapping challenges, security flaws, and complexity (like JSON). I am the author of one of the alternatives (HIP), and my recommendation is just choose your poison. ___ Thanx Robert. I guess I should have seen this coming But I have quite a few new leads for applications that can offer this, even if I would need to implement more than 1 solution. -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Cell: 082 554 7532 Fax: 086 268 8492 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
