Requiring a passphrase on your private key is not enforceable.
And the key can be duplicated. So if someone has a copy of your key and
gets/guesses your passphrase, you won't know they have access.
Having the private key generated on a PKI hardware token that *enforces* a
PIN/passphrase to access, covers those bases.
On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>If you have a passphrase on your private key (as one should), would
>not be considered something you know as well?
>On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
>> I have only implemented RSA, but I will be doing a bit of research on
>> topic shortly.
>> For my current job we'll be needing MFA for a secure environment, in
>> next couple of months. They won't be able to afford RSA.
>> But I do need to note that PKI key+Duo is not MFA. (Something you
>> Something you have)
>> MFA is Multi Factor Authentication and is defined as: (pick 2+
>> 1) Something you know (password/PIN not written down)
>> 2) Something you have (device that can not be copied, RSA fob, PKI
>> hardware token/smart card...)
>> 3) Something you are (biometrics)
>> RSA is fob + PIN.
>> My current plan is a PKI hardware token that requires a PIN/passcode
>> unlock the token to use the private key contained within. The key
>> generated on the token and the private key cannot be copied off the
>> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>> On Dec 1, 2016, Morgan Blackthorne <mor...@windsofstorm.net> wrote:
>>> I'm an end-user of Duo at the day job and relatively happy with it.
>>> not involved in the setup, though. OTOH I remember someone in #lopsa
>>> they had problems with them and had been unhappy. Can't remember who
>>> offhand, hopefully they'll chime in on this thread.
>>> I will note that the most common problem with Duo that I've
>>> seen is when folks have it configured to give them a phone call
>>> running the app and getting a push notification. In our setup, to
>>> the windows jumpbox we start an RDP session, and after normal user
>>> then triggers a Duo challenge. But the phone call setting seems to
>>> delayed enough that the RDP session fails with a network policy
>>> People adjusting their user config with push notifications works
>>> have not looked into seeing if you can just blanket disable that o!
>>> but it seems a bit odd that they offer that as a service when it
>>> work; then again, we may have a more aggressive timeout policy on
>>> portion than is recommended. Again, wasn't involved in the setup as
>>> predated me, so I'm not sure.
>>> I know it also works with Linux boxes and that's on my list to check
>>> just haven't gotten to it yet. We'd likely only enable it on nodes
>>> public IPs that have SSH listening/allowed, so it has been low on my
>>> priority list.
>>> Duo is also apparently free depending on how many users/devices you
>>> whereas last time I heard about the RSA setup, it was very
>>> planning on adding Duo support to my personal AWS Linux nodes for
>>> key+MFA auth, no passwords allowed).
>>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>>> _kylestew...@outlook.com> wrote:
>>>> Hi all, hope this email finds everyone well. We're looking into
>>>> up two-factor authentication at my company for a 2017 project and
>>>> in the "Let's get the lay of the land" phase. Right now it seems
>>>> is making big headway in this market, but I've heard good things
>>>> as well. I'd love to get some first-hand feedback from people who
>>>> these types of 2FA solutions who aren't sales people :)
>>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>>>> implemented - at face value I'm very interested in Duo so if anyone
>>>> experience with Duo and setting it up (preferably alongside Palo
>>>> GlobalProtect) that'd be fantastic.
>>>> Thanks in advance!
>>>> Kyle Stewart
>>>> Discuss mailing list
>>>> This list provided by the League of Professional System
>>> Discuss mailing list
>>> This list provided by the League of Professional System
>> Mr. Flibble
>> King of the Potato People
>> Discuss mailing list
>> This list provided by the League of Professional System
King of the Potato People
Discuss mailing list
This list provided by the League of Professional System Administrators