Skip to main content

why-you-need-two-factor-authentication-for-ssh

I've been chewing on doing a post about the need for two-factor authentication SSH for a while, long enough that someone else has done the work for me, which is just the way I like it.

Please read Solarisjedi's "Auditing challenged with SSH"

I recently had a real dilemma thrown at me by the security team at a site I work on. The site's policy dictates that no authentication should take place without a password. Any exceptions require both a business case justification on file, and an expiration. This presents a real challenge with SSH. SSH allows public key authentication as an alternative to passwords, and the private key can be created without a passphrase. In addition, there is no way to enforce a key expiration at a server level (at least, not that I've been able to find).

Definitely read the whole post, but here is more:

There is no solution I can see to the issue of enforcing passphrase complexity, or auditing use of non-interactive key pairs because that part of the process is handled entirely by the client. It's very difficult to convince a security officer that key generated on an uncontrolled device can be trusted for authentication against Sarbox servers.

Our decision, much to my dismay, was to disable public key authentication site-wide. I feel like we're throwing the baby out with the bath water, but at the same time I understand the need to audit system access, and be able to enforce policy. I'm anxious for our Solaris 9 fleet to turn over to Solaris 10 so we can begin using the more capable version of SSH it includes.

SSH offers "no way to control who on a server is authorized to use public key encryption, no way to enforce passphrase complexity, and no way to expire a public key.".

WiKID does allow fine-grained control over who is provided access. The user selects the passphrase for their private key, but the PIN is validated on the WiKID server, so you have true two-factor authentication. What WiKID needs is a command-line interface so you can enter your PIN as part of the SSH command.

PS: I would have thought that the compliance audit would require 2-factor authentication for remote access, not just passwords.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom