Multiple authentication methods at the same time?

Alexander Clouter alex at digriz.org.uk
Thu Feb 17 10:51:11 CET 2011


Thomas A. Fine <fine at head.cfa.harvard.edu> wrote:
>
> One of the things I love on the Internet (and by love I mean hate) is 
> when someone asks a technical question, and they end up with a 
> condescending policy answer.
>
Welcome to the Internet, the place where tongue-in-cheek evaporates...
 
> The first thing anyone should know (but many don't) about security is 
> that everybody has different security needs, and their policy is their 
> own business.  People who go around saying A is secure and B is 
> insecure, and never use B and always use A, these people really do not 
> understand the first thing about security.
> 
When you look for advice on how to do xyz, please do not take it as an 
insult when someone:
 a) answers your question on how to do xyz (and gives two solutions)
 b) suggests doing abc would possibly be more appropriate

A lot of people do not know about public-key auth even today, many do 
not know you can put the lot in LDAP too.  Putting this knowledge on the 
list is not just for your benefit, it's also for archive readers....and 
to pimp-up my Google listing :)

> At any rate, we have seen some new break-ins lately, and they have been 
> compromised passwords (and one sshd out-of-date with a known bug). 
> Whether our policy really helped, i.e. there would have been additional 
> private key break-ins, is unknowable.  At any rate it doesn't matter, we 
> are moving forward.
>
Ours seemed to be due to keyloggers and/or password sharing; I work as a 
network sysadmin for a small university in the UK.

> Another option is OTP.  This gives us real two-factor authentication 
> (depending on which flavor/implementation we pick).  And a parent 
> organization is likely going to mandate this eventually anyway so we 
> might as well get started.
>
> If OTP seeds had to be stored out in the DMZ, this would not meet our 
> security needs.
>
That's actually incorrect, there have been OTP systems that do not rely 
on seeds, and a root compromise of a system does not harm the

I would normally recommend a type of OTP, but I am getting the 
impression that the only recommendations you are interested in hearing 
are unfortunately your own which is a shame; you seem to know things 
that I also want to know.

> So, thank you for attempting to dictate my security policy to me in the 
> absence of any information about me.  And even though we feel that 
> pubkey is woefully inadequate security on it's own, I won't tell you not 
> to use it, because I know nothing about your security needs, and can't 
> begin to attempt to offer policy advice to you without significant 
> additional information.
> 
That is completely incorrect, for me.  I *want* to hear what you are 
doing and also your raw ("if you lived in utopia, I would do xyz") 
recommendations so that I can evaulate them all and make a more informed 
choice.  It might seed my brain with something that sparks a far better 
solution.

Cheers

-- 
Alexander Clouter
.sigmonster says: "I'd love to go out with you, but I have to floss my cat."




More information about the Freeradius-Users mailing list