Home

Tighter SSH Security with Two-Factor Authentication

Issue 152

From Issue #152
December 2006

Dec 01, 2006  By Paul Sery
 in
How to set up two-factor authentication using a USB pendrive and ssh-agent for root logins.

ssh-add

ssh-add allows you to lock and/or confirm using private keys. Use the -x and -X options to lock and unlock a key. You will create a password to lock the key, and use the password to unlock it. Using the -c option directs ssh-add to prompt you every time ssh-agent is asked to use a key. The prompt is displayed on the machine running ssh-agent and effectively prevents unauthorized users from using your keys.

Conclusion

Static passwords are quickly becoming more trouble than they're worth. We need to break the static habit and start using two-factor authentication. OpenSSH is a powerful system that provides the tools necessary to make that step. By using public/private keys, agent forwarding and removable media, we can use OpenSSH as a key “safe”. This, in turn, allows us to create a simple, inexpensive and effective host-based, two-factor authentication system.

This two-factor system requires a moderate amount of work to configure and use, but it is well worth the extra security. However, using the tfssh script makes the process easy to use. Using the script means you get all the benefits of two-factor authentication but almost none of the hassle.

Two vs. 2.X Factors

Some people count the locally stored SSH keys and their passphrases as two factors. This view is reasonable, but I feel more comfortable physically separating the key storage device from the computer. Keeping your keys on removable media reduces the opportunity for intruders to capture and crack them.

Now, it's important to realize that keeping your keys on devices like USB pendrives doesn't eliminate the ability of an intruder to spy them. Your keys are vulnerable while mounted, and you should take precautions to harden the workstation from which you connect to other computers. Use good passwords for local (console) logins, keep your workstation patched and so on.

So, you're better off using public key authentication than static passwords, as long as you adequately protect your workstation. How safe you want to be depends on your paranoia.

Storing Keys

You can store your keys on any type of removable media. I'm using a USB pendrive in these examples because it's easy to work with and carry around. Feel free to use writable CD-ROMs or DVDs or even floppies if you want.

Paul Sery has been a UNIX and Linux System Administrator for more than 20 years. He's written several Linux books, including Network Linux Toolkit and Knoppix for Dummies. He's also co-authored several Red Hat Linux for Dummies and Fedora Core for Dummies books with Jon “maddog” Hall. Paul lives in Albuquerque, New Mexico, and can be reached at pgsery@swcp.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Two-Factor ssh

Mike Kachline's picture
Submitted by Mike Kachline (not verified) on Fri, 01/29/2010 - 17:47.

Agree with Nicholas above. An ssh key + "passphrase" is indeed, not "two-factor" because, as he mentioned, the presence of a passphrase is never validated on the server.

Furthermore, an ssh key (something you have) which is stored onto a USB thumb drive (something you have) is still, technically speaking, single factor authentication. Much like requiring multiple "chained" passwords is still single-factor authentication.

A possible workaround is to use an SSH key which "forces" a command of "sudo /bin/login". By doing so, one would first authenticate with the SSH key (something you have), and then need to authenticate through the "regular" PAM stack (Something you know.) This has the added bonus that the "pam stack" authentication would enforce other rules such as password complexity, fail counts, and so forth.

This is single factor, not two factor authentication

Nicholas Sushkin's picture
Submitted by Nicholas Sushkin (not verified) on Tue, 12/08/2009 - 12:49.

Paul,

RSA key authentication is a single factor authentication. The server only verifies your RSA key, which is the only authentication factor. The key's passphrase is only relevant for protecting your private key in your client machine. You can set empty passphrase, the server doesn't care.

The authentication would have been two factor, if the server verified both the key and a static password independent of the key.

mv not quite secure :)

witek's picture
Submitted by witek (not verified) on Sun, 04/12/2009 - 20:17.

Don't move cryptokeys using "mv". Use "cp", then "shred" or "wipe".

Excelent article.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState