Mailing List Archive

Look at certificates. This way the user would need a certificate,
password for the said certificate (ok ok so it's possible to have certs
without a password) and disable password only authentication.

Thank you
-- Vlad G.


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Ryan Kish
Sent: Wednesday, April 22, 2009 4:02 PM
To: secureshell@securityfocus.com
Subject: Requiring Dual Factor Authentication / Multiple Authentication

Hello List.

I am currently trying to determine how I can implement two factor
authentication for some servers that sit on border networks. Ideally,
a user would be required to use an rsa/dsa key & their system login
password to gain access. This way, they are using something they have
(rsa/dsa key) and something they know (password). It would allow me
enforce complex passwords as well as expiration time on the server
side.

Searching for previous posts on this subject has not been easy, but I
did come across a thread from 2006:
http://marc.info/?t=114928353600001&r=1&w=2

At that time, it looks like OpenSSH did not have the capabilities to
enforce multiple authentication. Has this changed? Are there other
ideas on how I could enforce password complexity and still utilize
rsa/dsa keys?

Thanks for your time,
Ryan

Mr. Kish,

Have you looked at using SSH in conjunction with application/shell
logins? You would
"wrapper" your communications inside of a SSH connection. (You would
use the rsa/dsa
key functionality here). Once the connection is established, you would
use a shell or
application login to get the password complexity, you wanted.

From a security perspective, not only would you have two factor
authentication, but also
two separate security mechanism. The other nice feature of this
approach is that you would
only need one SSH server to proxy all of your other services.

Hope this helps

thr
-----



Ryan Kish wrote:
> Hello List.
>
> I am currently trying to determine how I can implement two factor
> authentication for some servers that sit on border networks. Ideally,
> a user would be required to use an rsa/dsa key & their system login
> password to gain access. This way, they are using something they have
> (rsa/dsa key) and something they know (password). It would allow me
> enforce complex passwords as well as expiration time on the server
> side.
>
> Searching for previous posts on this subject has not been easy, but I
> did come across a thread from 2006:
> http://marc.info/?t=114928353600001&r=1&w=2
>
> At that time, it looks like OpenSSH did not have the capabilities to
> enforce multiple authentication. Has this changed? Are there other
> ideas on how I could enforce password complexity and still utilize
> rsa/dsa keys?
>
> Thanks for your time,
> Ryan
>
>

On Wed, 22 Apr 2009 15:02:27 -0500, Ryan Kish <rpkish@gmail.com> wrote:

> Hello List.
>
> I am currently trying to determine how I can implement two factor
> authentication for some servers that sit on border networks. Ideally,
> a user would be required to use an rsa/dsa key & their system login
> password to gain access. This way, they are using something they have
> (rsa/dsa key) and something they know (password). It would allow me
> enforce complex passwords as well as expiration time on the server
> side.
>
> Searching for previous posts on this subject has not been easy, but I
> did come across a thread from 2006:
> http://marc.info/?t=114928353600001&r=1&w=2
>
> At that time, it looks like OpenSSH did not have the capabilities to
> enforce multiple authentication. Has this changed? Are there other
> ideas on how I could enforce password complexity and still utilize
> rsa/dsa keys?
>
> Thanks for your time,
> Ryan


Are you looking for rsa/dsa key only access and then trusting that they
have passphrases protecting them? Or, are you looking for something along
the lines of integrating RSA SecurID with OpenSSH?

-MN

I would really like to implement SecurID, but its cost prohibitive.
This nice thing about SecurID is that it provides even another layer
of security. In my experience with it, I had to provide a pin, along
with the current code on the fob to pass SecurID authentication, in
addition to my host/network password this was true two factor
authentication.

My major problem with just using rsa/dsa keys or certs is that I have
to use the honor system and hope my user base is protecting their key
or cert with a strong password/passphrase. So I have to assume they
are not. Then there is the problem of securing the rsa/dsa key or
cert, I can not assume my users have any type of security set up on
their remote machines as I can not, nor want to, maintain their remote
networks.

Which brings me back to password authentication. If I were able to
require both a rsa/dsa key or cert in addition to providing a host
password (which I could enforce complexity and expiration times on) I
think it would give me reasonable two factor authentication without
the hefty costs associated with SecurID or similar systems

Thanks to all of you that have taken the time to read and to respond
to this thread, I appreciate your feedback.

Cheers,
Ryan

On Wed, Apr 22, 2009 at 02:02:27PM -0600, Ryan Kish wrote:
> I am currently trying to determine how I can implement two factor
> authentication for some servers that sit on border networks. Ideally,
> a user would be required to use an rsa/dsa key & their system login
> password to gain access. This way, they are using something they have
> (rsa/dsa key) and something they know (password).

RSA auth already provides this, of course: they have something they
have (their key) and something they know (the passphrase to the key).
It is unfortunate that there is no way to enforce that the user's keys
be encrypted. Since the client needs access to the unencrypted key,
it's necessarily a client-side operation to decrypt the key, which
means that even if OpenSSH provided a mechanism to enforce that the
on-disk keys were encrypted, the user could use their own client which
had no such restrictions...

> It would allow me enforce complex passwords as well as expiration
> time on the server side.

Which does nothing to prevent the user from leaving their complex
password on a post-it note on their monitor, leaving it in an
unencrypted file on their workstation, or telling their "trusted"
coworkers what it is, etc....

You either can trust your users to behave, or you can't. If you
can't, you have a problem that you can't easily fix with technology
(not cheaply, anyway), but your problem is only as big as the thing
you're protecting is valuable... Smart cards and similar may be the
best bet. If you have a genuine need for this level of security,
then someone should be willing to pay for it. If no one is willing to
pay for it, then are you sure you really need that level of security?
It would seem that whatever organization you're securing has already
decided that question for you... ;-)

More security is not always better... If your users (or bosses) don't
see the need, then the harder you make it for them to get what they
need, they may be more likely to work harder to get around your
security measures, undermining your efforts. It can also lead to user
dissatisfaction, which may mean increased turnover, or users seeking
alternatives to whatever services you're providing. The effort spent
on security should match the value of whatever you're trying to
secure...

Those caveats aside, one relatively cheap way to implement what you
want is to provide a bastion host. It would accept only one of the
two methods of authentication. Access to the resource you're
protecting would use the other of the two, and be restricted to
requests coming from the bastion host (typically by firewall rules,
though there may be other options depending on what you're doing).
Another way might be to use RSA auth with SSH to protect access to the
server, and then use Kerberos or similar to protect the resource (e.g.
an NFS mount).

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D