Re: authentication methods: how do they work?
On Wed, 27 Mar 2019 12:31:51 -0400, Boris Epstein wrote: > This is a nice piece of code indeed: > > https://github.com/WIZARDISHUNGRY/totp-util > > But I don't see the login_ code there - which would be > helpful if I were to write a login plugin. Do you know where that > code would be? Not sure how do you relate totp-util and login_oauth but you can fetch the source at that url: /usr/ports/sysutils/login_oath$ echo $(make show=MASTER_SITES)$(make show=DISTFILES) https://spacehopper.org/mirrors/login_oath-0.8.tar.gz
Re: authentication methods: how do they work?
On Wed, Mar 27, 2019 at 11:05 AM Daniel Jakots wrote: > On Wed, 27 Mar 2019 05:34:49 -0400, Boris Epstein > wrote: > > > It is interesting because some people mention combined methods - like > > SSL hostkey + some second factor being used just in that fashion: > > > > https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html > > > > But based on my experience thus far it looks like Ted is right. So I > > may have to write a utility for combined login. What should that > > utility do - call the two methods in question and return true or > > false depending on whether they succeed? > > You can actually look at the auth plugin this (brilliantly written btw, > *cough* ;)) blog article mentions. login_oauth allows you to use totp > and a password: > > > DESCRIPTION > > The login_totp-and-pwd program attempts to authenticate the user > > via a combination of password authentication and an OATH time-based > > one-time password > > (quote from login_totp-and-pwd.8). > > Cheers, > Daniel > Thanks Daniel! This is a nice piece of code indeed: https://github.com/WIZARDISHUNGRY/totp-util But I don't see the login_ code there - which would be helpful if I were to write a login plugin. Do you know where that code would be? Boris.
Re: authentication methods: how do they work?
On Wed, 27 Mar 2019 05:34:49 -0400, Boris Epstein wrote: > It is interesting because some people mention combined methods - like > SSL hostkey + some second factor being used just in that fashion: > > https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html > > But based on my experience thus far it looks like Ted is right. So I > may have to write a utility for combined login. What should that > utility do - call the two methods in question and return true or > false depending on whether they succeed? You can actually look at the auth plugin this (brilliantly written btw, *cough* ;)) blog article mentions. login_oauth allows you to use totp and a password: > DESCRIPTION > The login_totp-and-pwd program attempts to authenticate the user > via a combination of password authentication and an OATH time-based > one-time password (quote from login_totp-and-pwd.8). Cheers, Daniel
Re: authentication methods: how do they work?
On Wed, Mar 27, 2019 at 5:34 AM Boris Epstein wrote: > > > On Wed, Mar 27, 2019 at 2:31 AM Ted Unangst wrote: > >> Boris Epstein wrote: >> > Thanks. It makes sense to be able to select login methods under some >> > circumstances - but do I have an option of forcing the user to log in >> using >> > a predetermined set of methods (for instance, password and then a secure >> > key, or password and Yubkey, or password and SSL key)? >> >> If you want to require two methods, you have to specify a combined method, >> with an appropriate utility in /usr/libexec/auth. This is tricky because >> the >> API only allows for one challenge/response, not a series of them. (Unless >> I'm >> mistaken.) >> > > It is interesting because some people mention combined methods - like SSL > hostkey + some second factor being used just in that fashion: > > https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html > > But based on my experience thus far it looks like Ted is right. So I may > have to write a utility for combined login. What should that utility do - > call the two methods in question and return true or false depending on > whether they succeed? > > Thanks for all the help. > > Boris. > > And here is another interesting tidbit: > > https://jonwillia.ms/2016/04/22/2fa-openbsd-ssh-google-authenticator > > I may try to follow the same pattern and see if that works. >
Re: authentication methods: how do they work?
On Wed, Mar 27, 2019 at 2:31 AM Ted Unangst wrote: > Boris Epstein wrote: > > Thanks. It makes sense to be able to select login methods under some > > circumstances - but do I have an option of forcing the user to log in > using > > a predetermined set of methods (for instance, password and then a secure > > key, or password and Yubkey, or password and SSL key)? > > If you want to require two methods, you have to specify a combined method, > with an appropriate utility in /usr/libexec/auth. This is tricky because > the > API only allows for one challenge/response, not a series of them. (Unless > I'm > mistaken.) > It is interesting because some people mention combined methods - like SSL hostkey + some second factor being used just in that fashion: https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html But based on my experience thus far it looks like Ted is right. So I may have to write a utility for combined login. What should that utility do - call the two methods in question and return true or false depending on whether they succeed? Thanks for all the help. Boris.
Re: authentication methods: how do they work?
Boris Epstein wrote: > Thanks. It makes sense to be able to select login methods under some > circumstances - but do I have an option of forcing the user to log in using > a predetermined set of methods (for instance, password and then a secure > key, or password and Yubkey, or password and SSL key)? If you want to require two methods, you have to specify a combined method, with an appropriate utility in /usr/libexec/auth. This is tricky because the API only allows for one challenge/response, not a series of them. (Unless I'm mistaken.)
Re: authentication methods: how do they work?
Thanks. It makes sense to be able to select login methods under some circumstances - but do I have an option of forcing the user to log in using a predetermined set of methods (for instance, password and then a secure key, or password and Yubkey, or password and SSL key)? On Tue, Mar 26, 2019 at 1:59 PM Todd C. Miller wrote: > On Tue, 26 Mar 2019 11:11:35 -0400, Daniel Jakots wrote: > > > On Tue, 26 Mar 2019 10:01:59 -0400, Boris Epstein > > wrote: > > > > > Hello listmates, > > > > > > Let's say I have the following configured in my /etc/login.conf > > > > > > auth-defaults:auth=password,skey,yubikey > > > > > > Would that mean either password, or skey, or Yubikey, or should they > > > all be satisifed? > > > > Either. Then you can pick which is used when you run the software, for > > instance with sudo it's the -a flag. > > Also, for programs that take a username, you can usually append the > auth method after the username, separted with a colon. For example, > for ssh you can do things like: > > ssh myname:skey@somehost > > - todd >
Re: authentication methods: how do they work?
On Tue, 26 Mar 2019 11:11:35 -0400, Daniel Jakots wrote: > On Tue, 26 Mar 2019 10:01:59 -0400, Boris Epstein > wrote: > > > Hello listmates, > > > > Let's say I have the following configured in my /etc/login.conf > > > > auth-defaults:auth=password,skey,yubikey > > > > Would that mean either password, or skey, or Yubikey, or should they > > all be satisifed? > > Either. Then you can pick which is used when you run the software, for > instance with sudo it's the -a flag. Also, for programs that take a username, you can usually append the auth method after the username, separted with a colon. For example, for ssh you can do things like: ssh myname:skey@somehost - todd
Re: authentication methods: how do they work?
On Tue, 26 Mar 2019 10:01:59 -0400, Boris Epstein wrote: > Hello listmates, > > Let's say I have the following configured in my /etc/login.conf > > auth-defaults:auth=password,skey,yubikey > > Would that mean either password, or skey, or Yubikey, or should they > all be satisifed? Either. Then you can pick which is used when you run the software, for instance with sudo it's the -a flag. > Also, is there a way to specify that different > users have different requirements as far as authentication methods. I would use different login classes. Cheers, Daniel