Requiring a passphrase on your private key is not enforceable.

And the key can be duplicated. So if someone has a copy of your key and 
gets/guesses your passphrase, you won't know they have access.

Having the private key generated on a PKI hardware token that *enforces* a 
PIN/passphrase to access, covers those bases.

On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>If you have a passphrase on your private key (as one should), would
>that
>not be considered something you know as well?
>
>On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
><lann...@lanning.cc>
>wrote:
>
>> I have only implemented RSA, but I will be doing a bit of research on
>this
>> topic shortly.
>>
>> For my current job we'll be needing MFA for a secure environment, in
>the
>> next couple of months. They won't be able to afford RSA.
>>
>> But I do need to note that PKI key+Duo is not MFA. (Something you
>have +
>> Something you have)
>>
>> MFA is Multi Factor Authentication and is defined as: (pick 2+
>separate
>> items)
>>
>> 1) Something you know (password/PIN not written down)
>> 2) Something you have (device that can not be copied, RSA fob, PKI
>> hardware token/smart card...)
>> 3) Something you are (biometrics)
>>
>> RSA is fob + PIN.
>>
>> My current plan is a PKI hardware token that requires a PIN/passcode
>to
>> unlock the token to use the private key contained within. The key
>pair is
>> generated on the token and the private key cannot be copied off the
>token.
>>
>> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>>
>>
>> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>>>
>>> I'm an end-user of Duo at the day job and relatively happy with it.
>Was
>>> not involved in the setup, though. OTOH I remember someone in #lopsa
>saying
>>> they had problems with them and had been unhappy. Can't remember who
>or why
>>> offhand, hopefully they'll chime in on this thread.
>>>
>>> I will note that the most common problem with Duo that I've
>personally
>>> seen is when folks have it configured to give them a phone call
>instead of
>>> running the app and getting a push notification. In our setup, to
>access
>>> the windows jumpbox we start an RDP session, and after normal user
>auth, it
>>> then triggers a Duo challenge. But the phone call setting seems to
>get
>>> delayed enough that the RDP session fails with a network policy
>error.
>>> People adjusting their user config with push notifications works
>better. I
>>> have not looked into seeing if you can just blanket disable that o!
>ption,
>>> but it seems a bit odd that they offer that as a service when it
>doesn't
>>> work; then again, we may have a more aggressive timeout policy on
>the Duo
>>> portion than is recommended. Again, wasn't involved in the setup as
>it
>>> predated me, so I'm not sure.
>>>
>>> I know it also works with Linux boxes and that's on my list to check
>out,
>>> just haven't gotten to it yet. We'd likely only enable it on nodes
>with
>>> public IPs that have SSH listening/allowed, so it has been low on my
>>> priority list.
>>>
>>> Duo is also apparently free depending on how many users/devices you
>have,
>>> whereas last time I heard about the RSA setup, it was very
>expensive. I'm
>>> planning on adding Duo support to my personal AWS Linux nodes for
>SSH (so
>>> key+MFA auth, no passwords allowed).
>>>
>>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>>> _kylestew...@outlook.com> wrote:
>>>
>>>> Hi all, hope this email finds everyone well. We're looking into
>setting
>>>> up two-factor authentication at my company for a 2017 project and
>I'm
>>>> in the "Let's get the lay of the land" phase. Right now it seems
>like Duo
>>>> is making big headway in this market, but I've heard good things
>about RSA
>>>> as well. I'd love to get some first-hand feedback from people who
>have used
>>>> these types of 2FA solutions who aren't sales people :)
>>>>
>>>>
>>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>>>> implemented - at face value I'm very interested in Duo so if anyone
>has
>>>> experience with Duo and setting it up (preferably alongside Palo
>Alto's and
>>>> GlobalProtect) that'd be fantastic.
>>>>
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>> _____________________________
>>>> Kyle Stewart
>>>>
>>>> _______________________________________________
>>>> Discuss mailing list
>>>> Discuss@lists.lopsa.org
>>>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>>>> This list provided by the League of Professional System
>Administrators
>>>>  http://lopsa.org/
>>>>
>>>>
>>> ------------------------------
>>>
>>> Discuss mailing list
>>> Discuss@lists.lopsa.org
>>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>>> This list provided by the League of Professional System
>Administrators
>>> http://lopsa.org/
>>>
>>
>>
>> --
>> Mr. Flibble
>> King of the Potato People
>> http://www.linkedin.com/in/RobertLanning
>>
>> _______________________________________________
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System
>Administrators
>>  http://lopsa.org/
>>
>>


-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to