Tighter SSH Security with Two-Factor Authentication
ssh-add allows you to lock and/or confirm using private keys. Use the -x and -X options to lock and unlock a key. You will create a password to lock the key, and use the password to unlock it. Using the -c option directs ssh-add to prompt you every time ssh-agent is asked to use a key. The prompt is displayed on the machine running ssh-agent and effectively prevents unauthorized users from using your keys.
Static passwords are quickly becoming more trouble than they're worth. We need to break the static habit and start using two-factor authentication. OpenSSH is a powerful system that provides the tools necessary to make that step. By using public/private keys, agent forwarding and removable media, we can use OpenSSH as a key “safe”. This, in turn, allows us to create a simple, inexpensive and effective host-based, two-factor authentication system.
This two-factor system requires a moderate amount of work to configure and use, but it is well worth the extra security. However, using the tfssh script makes the process easy to use. Using the script means you get all the benefits of two-factor authentication but almost none of the hassle.
Two vs. 2.X Factors
Some people count the locally stored SSH keys and their passphrases as two factors. This view is reasonable, but I feel more comfortable physically separating the key storage device from the computer. Keeping your keys on removable media reduces the opportunity for intruders to capture and crack them.
Now, it's important to realize that keeping your keys on devices like USB pendrives doesn't eliminate the ability of an intruder to spy them. Your keys are vulnerable while mounted, and you should take precautions to harden the workstation from which you connect to other computers. Use good passwords for local (console) logins, keep your workstation patched and so on.
So, you're better off using public key authentication than static passwords, as long as you adequately protect your workstation. How safe you want to be depends on your paranoia.
You can store your keys on any type of removable media. I'm using a USB pendrive in these examples because it's easy to work with and carry around. Feel free to use writable CD-ROMs or DVDs or even floppies if you want.
Paul Sery has been a UNIX and Linux System Administrator for more than 20 years. He's written several Linux books, including Network Linux Toolkit and Knoppix for Dummies. He's also co-authored several Red Hat Linux for Dummies and Fedora Core for Dummies books with Jon “maddog” Hall. Paul lives in Albuquerque, New Mexico, and can be reached at firstname.lastname@example.org.
|Nightfall on Linux||Oct 26, 2016|
|Daily Giveaway - Fun Prizes from Red Hat!||Oct 25, 2016|
|Installing and Running a Headless Virtualization Server||Oct 25, 2016|
|Ubuntu MATE, Not Just a Whim||Oct 21, 2016|
|Non-Linux FOSS: Screenshotting for Fun and Profit!||Oct 20, 2016|
|Nasdaq Selects Drupal 8||Oct 19, 2016|
- Nightfall on Linux
- Installing and Running a Headless Virtualization Server
- Secure Desktops with Qubes: Compartmentalization
- Daily Giveaway - Fun Prizes from Red Hat!
- Ubuntu MATE, Not Just a Whim
- Nasdaq Selects Drupal 8
- Build Your Own Raspberry Pi Camera
- Non-Linux FOSS: Screenshotting for Fun and Profit!
- Canonical Ltd.'s Ubuntu Core
- Polishing the wegrep Wrapper Script