subject:"\[lopsa\-discuss\] Multi\-Factor Authentication \- Who's the Best"

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-03 Thread Edward Ned Harvey (lopser)

> From: Erik Anderson [mailto:erike...@gmail.com]
> 
> Slightly tangential to this topic: I've implemented Duo on our test
> *nix/*BSD servers to protect SSH. This was easy enough. The main
> problem I've run into is that Duo completely breaks Ansible's ability
> to properly execute playbooks on the hosts. Has anyone found a way
> around this?
> 
> Sure, I could create a separate user for ansible which is exempted
> from Duo, but I'd rather not do that if it could be avoided.

Yup. There are a bunch of ways to approach it. (At least three, that we use at 
work).

1.
If your version of sshd supports Match, you can add a section at the end of 
sshd_config:
Match User *,!sudouser
Blahblah use duo.
This would allow "sudouser" to bypass duo.

2.
I'm fuzzy on the details here, because I don't have access to our duo servers, 
but under some circumstances, they will enter a specific user into the duo 
servers, to bypass.

3.
I'm also fuzzy here, but in your client, /etc/login_duo.conf, you have a secret 
key. This is used to identify which profile, or configuration, or whatever it's 
called, that the server uses. I don't know the exact capabilities they have, 
but I know for some systems, we enter a secret key that corresponds to a 
profile, in which, duo is automatically bypassed because the user is coming 
from a VPN where they already had to duo in order to get on the VPN. I'm 
guessing duo bypass by network segment isn't the only criteria you can use to 
get duo bypass.
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-02 Thread Erik Anderson

On Fri, Dec 2, 2016 at 4:08 AM, Edward Ned Harvey (lopser)
 wrote:
> Also, ssh isn't the only thing in the world you care about. We use Duo for 
> ssh, RDP, VPN, drupal, wordpress, email, box.com, and everything else.

Slightly tangential to this topic: I've implemented Duo on our test
*nix/*BSD servers to protect SSH. This was easy enough. The main
problem I've run into is that Duo completely breaks Ansible's ability
to properly execute playbooks on the hosts. Has anyone found a way
around this?

Sure, I could create a separate user for ansible which is exempted
from Duo, but I'd rather not do that if it could be avoided.

-Erik
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-02 Thread Edward Ned Harvey (lopser)

> From: discuss-boun...@lists.lopsa.org [mailto:discuss-
> boun...@lists.lopsa.org] On Behalf Of Robert Hajime Lanning
> 
> The difference is "can the private key (something you have) be copied?"
> 
> PKI hardware token: No.
> File on notebook: Yes.

Also, ssh isn't the only thing in the world you care about. We use Duo for ssh, 
RDP, VPN, drupal, wordpress, email, box.com, and everything else.
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Ed

Yubikey & privacyIDEA are a good combination - FIDO U2F can be
independently used at a variety of sites and Yubikey can be used for
signing code and as a smartphone lock with NFC. Yubikey has it's own
key management software too.

On Wed, Nov 30, 2016 at 11:31 AM, Kyle Stewart <_kylestew...@outlook.com> wrote:
> Hi all, hope this email finds everyone well. We're looking into setting up
> two-factor authentication at my company for a 2017 project and I'm in the
> "Let's get the lay of the land" phase. Right now it seems like Duo is making
> big headway in this market, but I've heard good things about RSA as well.
> I'd love to get some first-hand feedback from people who have used these
> types of 2FA solutions who aren't sales people :)
>
>
> Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented -
> at face value I'm very interested in Duo so if anyone has experience with
> Duo and setting it up (preferably alongside Palo Alto's and GlobalProtect)
> that'd be fantastic.
>
>
> Thanks in advance!
>
>
> _
> Kyle Stewart
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Tom Perrine

I've been a happy Duo user personally (Google, GitHub) for a while. The
push/phone integration is nice.

We're moving to Okta for identity federation + SSO and we're going to
integrate it with Duo.

Kinda over RSA. Our (few) test users liked the Duo push and one-button
response compared to the RSA enter digits thing.



On Fri, Dec 2, 2016 at 4:55 AM, Robert Hajime Lanning 
wrote:

> Attack vectors...
>
> The difference is "can the private key (something you have) be copied?"
>
> PKI hardware token: No.
> File on notebook: Yes.
>
> A PKI key on its own as a file on a harddrive is equal to a really complex
> password. So complex that you can't remember it so it is written down.
>
> So, you encrypt the private encryption key with a passphrase. You have now
> put a password on your password.
>
> If the key can be copied, then it does not subscribe to something you have
> being unique. A passphrase can be copied, so it is also not unique. The
> combination of the two are not unique.
>
> Malware can attack a file on notebook and steal keystrokes for a
> passphrase.
>
> For PKI hardware, data is sent to the token itself where the token (using
> it's own processor) encrypts/signs the data with the private key. The
> private key cannot be copied/read off the token.  The private key can only
> be generated/used/erased via API calls to the hardware.
>
> PKI USB tokens are basically smart card readers with a smart card
> permanently attached.
>
> On 12/01/16 11:07, Morgan Blackthorne wrote:
>
>> I guess I'm not seeing much of a distinction between someone knowing
>> your password and someone knowing the passphrase on your key. If you
>> have a passphrase set, having a copy of the key does you no good without
>> the passphrase. But there's a pretty equivalent concern about someone
>> having both pieces of that equation vs. a normal password. Now something
>> like an OTP setup is a different story.
>>
>> I agree with the enforcement perspective on keys; I wish SSH had a way
>> to flag whether or not a passphrase was enabled for a key and then
>> control restrictions on the server side as to what accounts are
>> whitelisted for automation vs. normal users where a passphrase is
>> enforced. But at the end of the day I'm unconvinced that a key is any
>> less secure than a password, as long as you have a passphrase configured.
>>
>> On Thu, Dec 1, 2016 at 10:54 AM, Robert Hajime Lanning
>> > wrote:
>>
>> Requiring a passphrase on your private key is not enforceable.
>>
>> And the key can be duplicated. So if someone has a copy of your key
>> and gets/guesses your passphrase, you won't know they have access.
>>
>> Having the private key generated on a PKI hardware token that
>> *enforces* a PIN/passphrase to access, covers those bases.
>>
>> On Dec 1, 2016, Morgan Blackthorne > > wrote:
>>
>> If you have a passphrase on your private key (as one should),
>> would that not be considered something you know as well?
>>
>> On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
>> > wrote:
>>
>> I have only implemented RSA, but I will be doing a bit of
>> research on this topic shortly.
>>
>> For my current job we'll be needing MFA for a secure
>> environment, in the next couple of months. They won't be
>> able to afford RSA.
>>
>> But I do need to note that PKI key+Duo is not MFA.
>> (Something you have + Something you have)
>>
>> MFA is Multi Factor Authentication and is defined as: (pick
>> 2+ separate items)
>>
>> 1) Something you know (password/PIN not written down)
>> 2) Something you have (device that can not be copied, RSA
>> fob, PKI hardware token/smart card...)
>> 3) Something you are (biometrics)
>>
>> RSA is fob + PIN.
>>
>> My current plan is a PKI hardware token that requires a
>> PIN/passcode to unlock the token to use the private key
>> contained within. The key pair is generated on the token and
>> the private key cannot be copied off the token.
>>
>> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>>
>>
>> On Dec 1, 2016, Morgan Blackthorne > > wrote:
>>
>> I'm an end-user of Duo at the day job and relatively
>> happy with it. Was not involved in the setup, though.
>> OTOH I remember someone in #lopsa saying they had
>> problems with them and had been unhappy. Can't remember
>> who or why offhand, hopefully they'll chime in on this
>> thread.
>>
>> I will

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Robert Hajime Lanning

Attack vectors...

The difference is "can the private key (something you have) be copied?"

PKI hardware token: No.
File on notebook: Yes.

A PKI key on its own as a file on a harddrive is equal to a really 
complex password. So complex that you can't remember it so it is written 
down.

So, you encrypt the private encryption key with a passphrase. You have 
now put a password on your password.

If the key can be copied, then it does not subscribe to something you 
have being unique. A passphrase can be copied, so it is also not unique. 
The combination of the two are not unique.

Malware can attack a file on notebook and steal keystrokes for a passphrase.

For PKI hardware, data is sent to the token itself where the token 
(using it's own processor) encrypts/signs the data with the private key. 
The private key cannot be copied/read off the token.  The private key 
can only be generated/used/erased via API calls to the hardware.

PKI USB tokens are basically smart card readers with a smart card 
permanently attached.

On 12/01/16 11:07, Morgan Blackthorne wrote:

I guess I'm not seeing much of a distinction between someone knowing
your password and someone knowing the passphrase on your key. If you
have a passphrase set, having a copy of the key does you no good without
the passphrase. But there's a pretty equivalent concern about someone
having both pieces of that equation vs. a normal password. Now something
like an OTP setup is a different story.

I agree with the enforcement perspective on keys; I wish SSH had a way
to flag whether or not a passphrase was enabled for a key and then
control restrictions on the server side as to what accounts are
whitelisted for automation vs. normal users where a passphrase is
enforced. But at the end of the day I'm unconvinced that a key is any
less secure than a password, as long as you have a passphrase configured.

On Thu, Dec 1, 2016 at 10:54 AM, Robert Hajime Lanning
> wrote:

Requiring a passphrase on your private key is not enforceable.

And the key can be duplicated. So if someone has a copy of your key
and gets/guesses your passphrase, you won't know they have access.

Having the private key generated on a PKI hardware token that
*enforces* a PIN/passphrase to access, covers those bases.

On Dec 1, 2016, Morgan Blackthorne > wrote:

If you have a passphrase on your private key (as one should),
would that not be considered something you know as well?

On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
> wrote:

I have only implemented RSA, but I will be doing a bit of
research on this topic shortly.

For my current job we'll be needing MFA for a secure
environment, in the next couple of months. They won't be
able to afford RSA.

But I do need to note that PKI key+Duo is not MFA.
(Something you have + Something you have)

MFA is Multi Factor Authentication and is defined as: (pick
2+ separate items)

1) Something you know (password/PIN not written down)
2) Something you have (device that can not be copied, RSA
fob, PKI hardware token/smart card...)
3) Something you are (biometrics)

RSA is fob + PIN.

My current plan is a PKI hardware token that requires a
PIN/passcode to unlock the token to use the private key
contained within. The key pair is generated on the token and
the private key cannot be copied off the token.

Ssh and openvpn clients support PKCS#11 for PKI hardware.

On Dec 1, 2016, Morgan Blackthorne > wrote:

I'm an end-user of Duo at the day job and relatively
happy with it. Was not involved in the setup, though.
OTOH I remember someone in #lopsa saying they had
problems with them and had been unhappy. Can't remember
who or why offhand, hopefully they'll chime in on this
thread.

I will note that the most common problem with Duo that
I've personally seen is when folks have it configured to
give them a phone call instead of running the app and
getting a push notification. In our setup, to access the
windows jumpbox we start an RDP session, and after
normal user auth, it then triggers a Duo challenge. But
the phone call setting seems to get delayed enough that
the RDP session fails with a network policy error.
People adjusting their user config with push
notifications works

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Matt Lawrence

It was decided to roll out Duo for multifactor authentication for the 
VPN at work.  From a user standpoint, I think it is wonderful.  I have 
my phone at hand much more often than I have my keyring, particularly 
when I'm on call.  And, I'm going to be carrying my phone anyway, so not 
having a fob bulking up my keyring (which has 3 keys on it) is a big win.



-- Matt


On 11/30/2016 12:31 PM, Kyle Stewart wrote:


Hi all, hope this email finds everyone well. We're looking into 
setting up two-factor authentication at my company for a 2017 project 
and I'm in the "Let's get the lay of the land" phase. Right now it 
seems like Duo is making big headway in this market, but I've heard 
good things about RSA as well. I'd love to get some first-hand 
feedback from people who have used these types of 2FA solutions who 
aren't sales people :)



Overall I get what 2FA/MFA does, but I'm blurry on how it gets 
implemented - at face value I'm very interested in Duo so if anyone 
has experience with Duo and setting it up (preferably alongside Palo 
Alto's and GlobalProtect) that'd be fantastic.



Thanks in advance!


_
Kyle Stewart


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
  http://lopsa.org/


___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Crocker, Deborah

Duo is picking up usage in the academic environment pretty quickly. We're 
rolling it out. We've used their API to build a couple of pieces we need (like 
enrolling allowed people, removing users when they leave, and providing 
one-time use keys if the device is lost). It has been very easy to include it 
in a number of our login processes.

Deborah Crocker, PhD
Systems Engineer III
Office of Information Technology
The University of Alabama
Box 870346
Tuscaloosa, AL 36587
Office 205-348-3758 | Fax 205-348-9393
deborah.croc...@ua.edu

From: discuss-boun...@lists.lopsa.org [mailto:discuss-boun...@lists.lopsa.org] 
On Behalf Of Kyle Stewart
Sent: Wednesday, November 30, 2016 12:32 PM
To: discuss@lists.lopsa.org
Subject: [lopsa-discuss] Multi-Factor Authentication - Who's the Best


Hi all, hope this email finds everyone well. We're looking into setting up 
two-factor authentication at my company for a 2017 project and I'm in the 
"Let's get the lay of the land" phase. Right now it seems like Duo is making 
big headway in this market, but I've heard good things about RSA as well. I'd 
love to get some first-hand feedback from people who have used these types of 
2FA solutions who aren't sales people :)



Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented - at 
face value I'm very interested in Duo so if anyone has experience with Duo and 
setting it up (preferably alongside Palo Alto's and GlobalProtect) that'd be 
fantastic.



Thanks in advance!


_
Kyle Stewart
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Morgan Blackthorne

I guess I'm not seeing much of a distinction between someone knowing your
password and someone knowing the passphrase on your key. If you have a
passphrase set, having a copy of the key does you no good without the
passphrase. But there's a pretty equivalent concern about someone having
both pieces of that equation vs. a normal password. Now something like an
OTP setup is a different story.

I agree with the enforcement perspective on keys; I wish SSH had a way to
flag whether or not a passphrase was enabled for a key and then control
restrictions on the server side as to what accounts are whitelisted for
automation vs. normal users where a passphrase is enforced. But at the end
of the day I'm unconvinced that a key is any less secure than a password,
as long as you have a passphrase configured.

On Thu, Dec 1, 2016 at 10:54 AM, Robert Hajime Lanning 
wrote:

> Requiring a passphrase on your private key is not enforceable.
>
> And the key can be duplicated. So if someone has a copy of your key and
> gets/guesses your passphrase, you won't know they have access.
>
> Having the private key generated on a PKI hardware token that *enforces* a
> PIN/passphrase to access, covers those bases.
>
> On Dec 1, 2016, Morgan Blackthorne  wrote:
>>
>> If you have a passphrase on your private key (as one should), would that
>> not be considered something you know as well?
>>
>> On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning <
>> lann...@lanning.cc> wrote:
>>
>>> I have only implemented RSA, but I will be doing a bit of research on
>>> this topic shortly.
>>>
>>> For my current job we'll be needing MFA for a secure environment, in the
>>> next couple of months. They won't be able to afford RSA.
>>>
>>> But I do need to note that PKI key+Duo is not MFA. (Something you have +
>>> Something you have)
>>>
>>> MFA is Multi Factor Authentication and is defined as: (pick 2+ separate
>>> items)
>>>
>>> 1) Something you know (password/PIN not written down)
>>> 2) Something you have (device that can not be copied, RSA fob, PKI
>>> hardware token/smart card...)
>>> 3) Something you are (biometrics)
>>>
>>> RSA is fob + PIN.
>>>
>>> My current plan is a PKI hardware token that requires a PIN/passcode to
>>> unlock the token to use the private key contained within. The key pair is
>>> generated on the token and the private key cannot be copied off the token.
>>>
>>> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>>>
>>>
>>> On Dec 1, 2016, Morgan Blackthorne  wrote:

 I'm an end-user of Duo at the day job and relatively happy with it. Was
 not involved in the setup, though. OTOH I remember someone in #lopsa saying
 they had problems with them and had been unhappy. Can't remember who or why
 offhand, hopefully they'll chime in on this thread.

 I will note that the most common problem with Duo that I've personally
 seen is when folks have it configured to give them a phone call instead of
 running the app and getting a push notification. In our setup, to access
 the windows jumpbox we start an RDP session, and after normal user auth, it
 then triggers a Duo challenge. But the phone call setting seems to get
 delayed enough that the RDP session fails with a network policy error.
 People adjusting their user config with push notifications works better. I
 have not looked into seeing if you can just ! blanket disable that o!
 ption, but it seems a bit odd that they offer that as a service when it
 doesn't work; then again, we may have a more aggressive timeout policy on
 the Duo portion than is recommended. Again, wasn't involved in the setup as
 it predated me, so I'm not sure.

 I know it also works with Linux boxes and that's on my list to check
 out, just haven't gotten to it yet. We'd likely only enable it on nodes
 with public IPs that have SSH listening/allowed, so it has been low on my
 priority list.

 Duo is also apparently free depending on how many users/devices you
 have, whereas last time I heard about the RSA setup, it was very expensive.
 I'm planning on adding Duo support to my personal AWS Linux nodes for SSH
 (so key+MFA auth, no passwords allowed).

 On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
 _kylestew...@outlook.com> wrote:

> Hi all, hope this email finds everyone well. We're looking into
> setting up two-factor authentication at my company for a 2017 project and
> I'm in the "Let's get the lay of the land" phase. Right now it seems like
> Duo is making big headway in this market, but I've heard good things about
> RSA as well. I'd love to get some first-hand feedback from people who have
> used these types of 2FA solutions who aren't sales people :)
>
>
> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
> implemented - at face value I'm

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Robert Hajime Lanning

Requiring a passphrase on your private key is not enforceable.

And the key can be duplicated. So if someone has a copy of your key and 
gets/guesses your passphrase, you won't know they have access.

Having the private key generated on a PKI hardware token that *enforces* a 
PIN/passphrase to access, covers those bases.

On Dec 1, 2016, Morgan Blackthorne  wrote:
>If you have a passphrase on your private key (as one should), would
>that
>not be considered something you know as well?
>
>On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning
>
>wrote:
>
>> I have only implemented RSA, but I will be doing a bit of research on
>this
>> topic shortly.
>>
>> For my current job we'll be needing MFA for a secure environment, in
>the
>> next couple of months. They won't be able to afford RSA.
>>
>> But I do need to note that PKI key+Duo is not MFA. (Something you
>have +
>> Something you have)
>>
>> MFA is Multi Factor Authentication and is defined as: (pick 2+
>separate
>> items)
>>
>> 1) Something you know (password/PIN not written down)
>> 2) Something you have (device that can not be copied, RSA fob, PKI
>> hardware token/smart card...)
>> 3) Something you are (biometrics)
>>
>> RSA is fob + PIN.
>>
>> My current plan is a PKI hardware token that requires a PIN/passcode
>to
>> unlock the token to use the private key contained within. The key
>pair is
>> generated on the token and the private key cannot be copied off the
>token.
>>
>> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>>
>>
>> On Dec 1, 2016, Morgan Blackthorne  wrote:
>>>
>>> I'm an end-user of Duo at the day job and relatively happy with it.
>Was
>>> not involved in the setup, though. OTOH I remember someone in #lopsa
>saying
>>> they had problems with them and had been unhappy. Can't remember who
>or why
>>> offhand, hopefully they'll chime in on this thread.
>>>
>>> I will note that the most common problem with Duo that I've
>personally
>>> seen is when folks have it configured to give them a phone call
>instead of
>>> running the app and getting a push notification. In our setup, to
>access
>>> the windows jumpbox we start an RDP session, and after normal user
>auth, it
>>> then triggers a Duo challenge. But the phone call setting seems to
>get
>>> delayed enough that the RDP session fails with a network policy
>error.
>>> People adjusting their user config with push notifications works
>better. I
>>> have not looked into seeing if you can just blanket disable that o!
>ption,
>>> but it seems a bit odd that they offer that as a service when it
>doesn't
>>> work; then again, we may have a more aggressive timeout policy on
>the Duo
>>> portion than is recommended. Again, wasn't involved in the setup as
>it
>>> predated me, so I'm not sure.
>>>
>>> I know it also works with Linux boxes and that's on my list to check
>out,
>>> just haven't gotten to it yet. We'd likely only enable it on nodes
>with
>>> public IPs that have SSH listening/allowed, so it has been low on my
>>> priority list.
>>>
>>> Duo is also apparently free depending on how many users/devices you
>have,
>>> whereas last time I heard about the RSA setup, it was very
>expensive. I'm
>>> planning on adding Duo support to my personal AWS Linux nodes for
>SSH (so
>>> key+MFA auth, no passwords allowed).
>>>
>>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>>> _kylestew...@outlook.com> wrote:
>>>
 Hi all, hope this email finds everyone well. We're looking into
>setting
 up two-factor authentication at my company for a 2017 project and
>I'm
 in the "Let's get the lay of the land" phase. Right now it seems
>like Duo
 is making big headway in this market, but I've heard good things
>about RSA
 as well. I'd love to get some first-hand feedback from people who
>have used
 these types of 2FA solutions who aren't sales people :)


 Overall I get what 2FA/MFA does, but I'm blurry on how it gets
 implemented - at face value I'm very interested in Duo so if anyone
>has
 experience with Duo and setting it up (preferably alongside Palo
>Alto's and
 GlobalProtect) that'd be fantastic.


 Thanks in advance!


 _
 Kyle Stewart

 ___
 Discuss mailing list
 Discuss@lists.lopsa.org
 https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
 This list provided by the League of Professional System
>Administrators
  http://lopsa.org/


>>> --
>>>
>>> Discuss mailing list
>>> Discuss@lists.lopsa.org
>>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>>> This list provided by the League of Professional System
>Administrators
>>> http://lopsa.org/
>>>
>>
>>
>> --
>> Mr. Flibble
>> King of the Potato People
>> http://www.linkedin.com/in/RobertLanning
>>
>> ___
>>

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Morgan Blackthorne

If you have a passphrase on your private key (as one should), would that
not be considered something you know as well?

On Thu, Dec 1, 2016 at 10:34 AM, Robert Hajime Lanning 
wrote:

> I have only implemented RSA, but I will be doing a bit of research on this
> topic shortly.
>
> For my current job we'll be needing MFA for a secure environment, in the
> next couple of months. They won't be able to afford RSA.
>
> But I do need to note that PKI key+Duo is not MFA. (Something you have +
> Something you have)
>
> MFA is Multi Factor Authentication and is defined as: (pick 2+ separate
> items)
>
> 1) Something you know (password/PIN not written down)
> 2) Something you have (device that can not be copied, RSA fob, PKI
> hardware token/smart card...)
> 3) Something you are (biometrics)
>
> RSA is fob + PIN.
>
> My current plan is a PKI hardware token that requires a PIN/passcode to
> unlock the token to use the private key contained within. The key pair is
> generated on the token and the private key cannot be copied off the token.
>
> Ssh and openvpn clients support PKCS#11 for PKI hardware.
>
>
> On Dec 1, 2016, Morgan Blackthorne  wrote:
>>
>> I'm an end-user of Duo at the day job and relatively happy with it. Was
>> not involved in the setup, though. OTOH I remember someone in #lopsa saying
>> they had problems with them and had been unhappy. Can't remember who or why
>> offhand, hopefully they'll chime in on this thread.
>>
>> I will note that the most common problem with Duo that I've personally
>> seen is when folks have it configured to give them a phone call instead of
>> running the app and getting a push notification. In our setup, to access
>> the windows jumpbox we start an RDP session, and after normal user auth, it
>> then triggers a Duo challenge. But the phone call setting seems to get
>> delayed enough that the RDP session fails with a network policy error.
>> People adjusting their user config with push notifications works better. I
>> have not looked into seeing if you can just blanket disable that o! ption,
>> but it seems a bit odd that they offer that as a service when it doesn't
>> work; then again, we may have a more aggressive timeout policy on the Duo
>> portion than is recommended. Again, wasn't involved in the setup as it
>> predated me, so I'm not sure.
>>
>> I know it also works with Linux boxes and that's on my list to check out,
>> just haven't gotten to it yet. We'd likely only enable it on nodes with
>> public IPs that have SSH listening/allowed, so it has been low on my
>> priority list.
>>
>> Duo is also apparently free depending on how many users/devices you have,
>> whereas last time I heard about the RSA setup, it was very expensive. I'm
>> planning on adding Duo support to my personal AWS Linux nodes for SSH (so
>> key+MFA auth, no passwords allowed).
>>
>> On W! ed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <
>> _kylestew...@outlook.com> wrote:
>>
>>> Hi all, hope this email finds everyone well. We're looking into setting
>>> up two-factor authentication at my company for a 2017 project and I'm
>>> in the "Let's get the lay of the land" phase. Right now it seems like Duo
>>> is making big headway in this market, but I've heard good things about RSA
>>> as well. I'd love to get some first-hand feedback from people who have used
>>> these types of 2FA solutions who aren't sales people :)
>>>
>>>
>>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>>> implemented - at face value I'm very interested in Duo so if anyone has
>>> experience with Duo and setting it up (preferably alongside Palo Alto's and
>>> GlobalProtect) that'd be fantastic.
>>>
>>>
>>> Thanks in advance!
>>>
>>>
>>> _
>>> Kyle Stewart
>>>
>>> ___
>>> Discuss mailing list
>>> Discuss@lists.lopsa.org
>>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>>> This list provided by the League of Professional System Administrators
>>>  http://lopsa.org/
>>>
>>>
>> --
>>
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System Administrators
>> http://lopsa.org/
>>
>
>
> --
> Mr. Flibble
> King of the Potato People
> http://www.linkedin.com/in/RobertLanning
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Matt Finnigan

I've implemented RSA RBA (risk-based authentication), which builds on a lot
of the same infrastructure as their fob-based product. I haven't done Duo.
I'll be implementing Okta sometime next year, we already use it for SSO.

Product-agnostic implementation outline:

You need their server/VM/appliance, and whatever you're adding the auth
layer onto has to support your product (or vice-versa.) You may end up
installing something that replaces the default OWA login page for Exchange,
for example. You may have to point Cisco AnyConnect to a customized RADIUS
server. It all depends on what's getting MFA added to it.

Their software/appliance now needs to get a user list; it may integrate
into AD directly, it may require LDAP, etc. There's going to be some way to
provision users into the system, defining who is and isn't covered by MFA.

-Matt Finnigan

On Wed, Nov 30, 2016 at 1:31 PM, Kyle Stewart <_kylestew...@outlook.com>
wrote:

> Hi all, hope this email finds everyone well. We're looking into setting up
> two-factor authentication at my company for a 2017 project and I'm in the
> "Let's get the lay of the land" phase. Right now it seems like Duo is
> making big headway in this market, but I've heard good things about RSA as
> well. I'd love to get some first-hand feedback from people who have used
> these types of 2FA solutions who aren't sales people :)
>
>
> Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented
> - at face value I'm very interested in Duo so if anyone has experience with
> Duo and setting it up (preferably alongside Palo Alto's and GlobalProtect)
> that'd be fantastic.
>
>
> Thanks in advance!
>
>
> _
> Kyle Stewart
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Robert Hajime Lanning

I have only implemented RSA, but I will be doing a bit of research on this 
topic shortly.

For my current job we'll be needing MFA for a secure environment, in the next 
couple of months. They won't be able to afford RSA.

But I do need to note that PKI key+Duo is not MFA. (Something you have + 
Something you have)

MFA is Multi Factor Authentication and is defined as: (pick 2+ separate items)

1) Something you know (password/PIN not written down)
2) Something you have (device that can not be copied, RSA fob, PKI hardware 
token/smart card...)
3) Something you are (biometrics)

RSA is fob + PIN.

My current plan is a PKI hardware token that requires a PIN/passcode to unlock 
the token to use the private key contained within. The key pair is generated on 
the token and the private key cannot be copied off the token.

Ssh and openvpn clients support PKCS#11 for PKI hardware.


On Dec 1, 2016, Morgan Blackthorne  wrote:
>I'm an end-user of Duo at the day job and relatively happy with it. Was
>not
>involved in the setup, though. OTOH I remember someone in #lopsa saying
>they had problems with them and had been unhappy. Can't remember who or
>why
>offhand, hopefully they'll chime in on this thread.
>
>I will note that the most common problem with Duo that I've personally
>seen
>is when folks have it configured to give them a phone call instead of
>running the app and getting a push notification. In our setup, to
>access
>the windows jumpbox we start an RDP session, and after normal user
>auth, it
>then triggers a Duo challenge. But the phone call setting seems to get
>delayed enough that the RDP session fails with a network policy error.
>People adjusting their user config with push notifications works
>better. I
>have not looked into seeing if you can just blanket disable that
>option,
>but it seems a bit odd that they offer that as a service when it
>doesn't
>work; then again, we may have a more aggressive timeout policy on the
>Duo
>portion than is recommended. Again, wasn't involved in the setup as it
>predated me, so I'm not sure.
>
>I know it also works with Linux boxes and that's on my list to check
>out,
>just haven't gotten to it yet. We'd likely only enable it on nodes with
>public IPs that have SSH listening/allowed, so it has been low on my
>priority list.
>
>Duo is also apparently free depending on how many users/devices you
>have,
>whereas last time I heard about the RSA setup, it was very expensive.
>I'm
>planning on adding Duo support to my personal AWS Linux nodes for SSH
>(so
>key+MFA auth, no passwords allowed).
>
>On Wed, Nov 30, 2016 at 10:31 AM, Kyle Stewart
><_kylestew...@outlook.com>
>wrote:
>
>> Hi all, hope this email finds everyone well. We're looking into
>setting up
>> two-factor authentication at my company for a 2017 project and I'm in
>the
>> "Let's get the lay of the land" phase. Right now it seems like Duo is
>> making big headway in this market, but I've heard good things about
>RSA as
>> well. I'd love to get some first-hand feedback from people who have
>used
>> these types of 2FA solutions who aren't sales people :)
>>
>>
>> Overall I get what 2FA/MFA does, but I'm blurry on how it gets
>implemented
>> - at face value I'm very interested in Duo so if anyone has
>experience with
>> Duo and setting it up (preferably alongside Palo Alto's and
>GlobalProtect)
>> that'd be fantastic.
>>
>>
>> Thanks in advance!
>>
>>
>> _
>> Kyle Stewart
>>
>> ___
>> Discuss mailing list
>> Discuss@lists.lopsa.org
>> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>> This list provided by the League of Professional System
>Administrators
>>  http://lopsa.org/
>>
>>
>
>
>
>
>___
>Discuss mailing list
>Discuss@lists.lopsa.org
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System Administrators
> http://lopsa.org/


-- 
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Duncan Hutty

RSA MFA is "Enterprise" with all that implies, good, bad and neutral. If 
that fits for you, fine; but if that doesn't sounds like your use case, 
I would suggest looking elsewhere first.


(I have almost no experience with setting up or running MFA based on 
anything *other* than RSA).


--
Duncan Hutty
http://www.allgoodbits.org
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Morgan Blackthorne

I'm an end-user of Duo at the day job and relatively happy with it. Was not
involved in the setup, though. OTOH I remember someone in #lopsa saying
they had problems with them and had been unhappy. Can't remember who or why
offhand, hopefully they'll chime in on this thread.

I will note that the most common problem with Duo that I've personally seen
is when folks have it configured to give them a phone call instead of
running the app and getting a push notification. In our setup, to access
the windows jumpbox we start an RDP session, and after normal user auth, it
then triggers a Duo challenge. But the phone call setting seems to get
delayed enough that the RDP session fails with a network policy error.
People adjusting their user config with push notifications works better. I
have not looked into seeing if you can just blanket disable that option,
but it seems a bit odd that they offer that as a service when it doesn't
work; then again, we may have a more aggressive timeout policy on the Duo
portion than is recommended. Again, wasn't involved in the setup as it
predated me, so I'm not sure.

I know it also works with Linux boxes and that's on my list to check out,
just haven't gotten to it yet. We'd likely only enable it on nodes with
public IPs that have SSH listening/allowed, so it has been low on my
priority list.

Duo is also apparently free depending on how many users/devices you have,
whereas last time I heard about the RSA setup, it was very expensive. I'm
planning on adding Duo support to my personal AWS Linux nodes for SSH (so
key+MFA auth, no passwords allowed).

On Wed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <_kylestew...@outlook.com>
wrote:

> Hi all, hope this email finds everyone well. We're looking into setting up
> two-factor authentication at my company for a 2017 project and I'm in the
> "Let's get the lay of the land" phase. Right now it seems like Duo is
> making big headway in this market, but I've heard good things about RSA as
> well. I'd love to get some first-hand feedback from people who have used
> these types of 2FA solutions who aren't sales people :)
>
>
> Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented
> - at face value I'm very interested in Duo so if anyone has experience with
> Duo and setting it up (preferably alongside Palo Alto's and GlobalProtect)
> that'd be fantastic.
>
>
> Thanks in advance!
>
>
> _
> Kyle Stewart
>
> ___
> Discuss mailing list
> Discuss@lists.lopsa.org
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/
>
>
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

[lopsa-discuss] Multi-Factor Authentication - Who's the Best

2016-12-01 Thread Kyle Stewart

Hi all, hope this email finds everyone well. We're looking into setting up 
two-factor authentication at my company for a 2017 project and I'm in the 
"Let's get the lay of the land" phase. Right now it seems like Duo is making 
big headway in this market, but I've heard good things about RSA as well. I'd 
love to get some first-hand feedback from people who have used these types of 
2FA solutions who aren't sales people :)


Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented - at 
face value I'm very interested in Duo so if anyone has experience with Duo and 
setting it up (preferably alongside Palo Alto's and GlobalProtect) that'd be 
fantastic.


Thanks in advance!


_
Kyle Stewart
___
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

Re: [lopsa-discuss] Multi-Factor Authentication - Who's the Best

[lopsa-discuss] Multi-Factor Authentication - Who's the Best

16 matches

Site Navigation

Mail list logo

Footer information