Loading
Tighter SSH Security with Two-Factor Authentication
How to set up two-factor authentication using a USB pendrive and ssh-agent for root logins.
Static passwords are quickly becoming more trouble than they're worth. We need to break the static habit and start using two-factor authentication. OpenSSH is a powerful system that provides the tools necessary to make that step. By using public/private keys, agent forwarding and removable media, we can use OpenSSH as a key “safe”. This, in turn, allows us to create a simple, inexpensive and effective host-based, two-factor authentication system.
This two-factor system requires a moderate amount of work to configure and use, but it is well worth the extra security. However, using the tfssh script makes the process easy to use. Using the script means you get all the benefits of two-factor authentication but almost none of the hassle.
- « first
- ‹ previous
- 1
- 2
- 3
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Home, My Backup Data Center
- Readers' Choice Awards
- What's the tweeting protocol?
- New Products
- RSS Feeds
- Dart: a New Web Programming Experience
- Reply to comment | Linux Journal
8 hours 24 min ago - Reply to comment | Linux Journal
10 hours 57 min ago - Reply to comment | Linux Journal
12 hours 14 min ago - great post
12 hours 49 min ago - Google Docs
13 hours 11 min ago - Reply to comment | Linux Journal
18 hours 5 sec ago - Reply to comment | Linux Journal
18 hours 46 min ago - Web Hosting IQ
20 hours 20 min ago - Thanks for taking the time to
21 hours 57 min ago - Linux is good
23 hours 55 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Comments
Two-Factor ssh
Agree with Nicholas above. An ssh key + "passphrase" is indeed, not "two-factor" because, as he mentioned, the presence of a passphrase is never validated on the server.
Furthermore, an ssh key (something you have) which is stored onto a USB thumb drive (something you have) is still, technically speaking, single factor authentication. Much like requiring multiple "chained" passwords is still single-factor authentication.
A possible workaround is to use an SSH key which "forces" a command of "sudo /bin/login". By doing so, one would first authenticate with the SSH key (something you have), and then need to authenticate through the "regular" PAM stack (Something you know.) This has the added bonus that the "pam stack" authentication would enforce other rules such as password complexity, fail counts, and so forth.
This is single factor, not two factor authentication
Paul,
RSA key authentication is a single factor authentication. The server only verifies your RSA key, which is the only authentication factor. The key's passphrase is only relevant for protecting your private key in your client machine. You can set empty passphrase, the server doesn't care.
The authentication would have been two factor, if the server verified both the key and a static password independent of the key.
mv not quite secure :)
Don't move cryptokeys using "mv". Use "cp", then "shred" or "wipe".
Excelent article.