Skip to main content

why-you-need-two-factor-authentication-for-ssh

(0 comments)

I've been chewing on doing a post about the need for two-factor authentication SSH for a while, long enough that someone else has done the work for me, which is just the way I like it.

Please read Solarisjedi's "Auditing challenged with SSH"

I recently had a real dilemma thrown at me by the security team at a site I work on. The site's policy dictates that no authentication should take place without a password. Any exceptions require both a business case justification on file, and an expiration. This presents a real challenge with SSH. SSH allows public key authentication as an alternative to passwords, and the private key can be created without a passphrase. In addition, there is no way to enforce a key expiration at a server level (at least, not that I've been able to find).

Definitely read the whole post, but here is more:

There is no solution I can see to the issue of enforcing passphrase complexity, or auditing use of non-interactive key pairs because that part of the process is handled entirely by the client. It's very difficult to convince a security officer that key generated on an uncontrolled device can be trusted for authentication against Sarbox servers.

Our decision, much to my dismay, was to disable public key authentication site-wide. I feel like we're throwing the baby out with the bath water, but at the same time I understand the need to audit system access, and be able to enforce policy. I'm anxious for our Solaris 9 fleet to turn over to Solaris 10 so we can begin using the more capable version of SSH it includes.

SSH offers "no way to control who on a server is authorized to use public key encryption, no way to enforce passphrase complexity, and no way to expire a public key.".

WiKID does allow fine-grained control over who is provided access. The user selects the passphrase for their private key, but the PIN is validated on the WiKID server, so you have true two-factor authentication. What WiKID needs is a command-line interface so you can enter your PIN as part of the SSH command.

PS: I would have thought that the compliance audit would require 2-factor authentication for remote access, not just passwords.

Current rating: 1

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom