| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 13:49 | |
| *** nowen has quit (Quit: Leaving.) | 17:46 | |
| *** nowen (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 19:54 | |
| *** AndChat583569 (~AndChat58@2600:1006:b015:e14e::103) has joined #wikid | 22:02 | |
| nowen | hi | 22:02 |
|---|---|---|
| AndChat583569 | hey | 22:02 |
| AndChat583569 | Quick question about Wikid | 22:02 |
| AndChat583569 | If you use the software token... is that really two factor? It seems like that would actually just be another password. If my password is compromised, the attacker would just need to know my pin to log in. It's not exactly "something I have" at that point. | 22:04 |
| nowen | the second factor is possession of the private key embedded in the software token. | 22:04 |
| AndChat583569 | But that can be accessed with the pin, correct? | 22:05 |
| nowen | you can argue that it more easily stolen but I would counter that using public-private keys on the devices is better crypto than shared secret | 22:05 |
| nowen | because who has the secret? | 22:05 |
| AndChat583569 | true | 22:06 |
| nowen | AndChat583569: the private key can be accessed with the passphrase | 22:06 |
| nowen | the PIN is verified on the server | 22:06 |
| nowen | what are you trying to lock down? ipsec vpn? ssl-vpn? | 22:07 |
| AndChat583569 | ssh between hosts | 22:07 |
| nowen | well, I think security is all about trade-offs. what other tools could you afford if you went with WiKID? | 22:09 |
| AndChat583569 | Basically using a PAM and a 2 factor authenticator | 22:09 |
| nowen | have you thought about setting up a 'jump box' with 2FA and then use keys from there? | 22:09 |
| AndChat583569 | I did. | 22:09 |
| nowen | you can also use 2FA for sudo | 22:09 |
| nowen | you can also require smartphone tokens if that makes you feel better | 22:10 |
| AndChat583569 | There is a software 2factor client that can run from the command line yes? | 22:10 |
| nowen | yes, you can run the java client from the command line and there's a python version too | 22:10 |
| AndChat583569 | Yeah, the smartphone solution would fit something I have, but not everyone in my group has a smartphone :) | 22:11 |
| nowen | http://code.google.com/p/pywikid/ | 22:11 |
| nowen | lol | 22:11 |
| nowen | do the sysadmins without smart phones carry pagers? | 22:13 |
| nowen | ;-) | 22:13 |
| AndChat583569 | Just to make sure we're on the same page, if I used the software client, it would be conceptually the same as if I had a PAM that prompted for another password? Because using the software client would fit the "something I know" factor (the PIN)? | 22:13 |
| nowen | yes - you need the PIN and the private key embedded in the token client. | 22:14 |
| nowen | is this for PCI? | 22:14 |
| AndChat583569 | no | 22:14 |
| nowen | ok | 22:14 |
| nowen | we also did an update to pam radius that prompted for a password too. | 22:15 |
| nowen | but I think that's overkill | 22:15 |
| AndChat583569 | Yeah probably | 22:16 |
| AndChat583569 | Okay, thanks nowen! I think you answered my question pretty well. | 22:16 |
| nowen | you still need to validate the account separtely | 22:16 |
| nowen | np | 22:16 |
| nowen | let me know what you need | 22:16 |
| *** AndChat583569 has quit (Quit: Bye) | 22:17 | |
| *** nowen has quit (Quit: Leaving.) | 23:10 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!