Multiple authentication methods at the same time?
Thomas A. Fine
fine at head.cfa.harvard.edu
Thu Feb 17 03:40:16 CET 2011
One of the things I love on the Internet (and by love I mean hate) is
when someone asks a technical question, and they end up with a
condescending policy answer.
The first thing anyone should know (but many don't) about security is
that everybody has different security needs, and their policy is their
own business. People who go around saying A is secure and B is
insecure, and never use B and always use A, these people really do not
understand the first thing about security.
Having said that, I'll answer your "questions". We used to use a mix of
public key and password for ssh at the user's discretion. We found
ourselves in a situation where we had a few breakins, all of which
appeared to be compromised private keys that had been stolen from remote
accounts. So we decided to try going without public key authentication
for a while and see how that worked out. One can argue about the wisdom
of this decision, and I think it's an interesting debate without a clear
and obvious winner.
At any rate, we have seen some new break-ins lately, and they have been
compromised passwords (and one sshd out-of-date with a known bug).
Whether our policy really helped, i.e. there would have been additional
private key break-ins, is unknowable. At any rate it doesn't matter, we
are moving forward.
In many (though not all) of these breakins, we have seen attackers
collecting private keys from every account they have compromised. In
one case where root was obtained, a fake ssh was installed which in
addition to collecting passwords, also collected private keys and
passphrases.
For us, our first improvement will be improved auditing, and data
collection (hence the DMZ). We'll be profiling our users and
hand-checking logins that don't match their profile. The DMZ also makes
it harder on the hackers. Initially of course, two passwords instead of
one is only a slight improvement (if any). But one option is in fact to
allow pubkey at one of the two steps (and not the other). This gives
a kind of soft, sort-of two-factor authentication, as the hacker has to
both sniff a password and steal a private key (from different locations).
Another option is OTP. This gives us real two-factor authentication
(depending on which flavor/implementation we pick). And a parent
organization is likely going to mandate this eventually anyway so we
might as well get started.
Of course, we do not want to expose any authorization or authentication
data out to the DMZ if we don't have to, so once a hacker gets on the
DMZ they don't have much to play with. This is why building everything
into radius makes sense. The hackers have nothing to crack and nothing
to steal, only a port to poke, and not very many times without us
noticing. If OTP seeds had to be stored out in the DMZ, this would not
meet our security needs.
So, thank you for attempting to dictate my security policy to me in the
absence of any information about me. And even though we feel that
pubkey is woefully inadequate security on it's own, I won't tell you not
to use it, because I know nothing about your security needs, and can't
begin to attempt to offer policy advice to you without significant
additional information.
tom
On 2/16/11 6:02 PM, Alexander Clouter wrote:
> Thomas A. Fine<fine at head.cfa.harvard.edu> wrote:
>>
>> I thought this would be easy but now I'm wondering if it will be
>> possible at all. We are transitioning to a DMZ for all ssh logins.
>> During phase one, people will use a standard (but different than
>> internal) password which will be obtained either through LDAP or
>> the passwd module (we just haven't picked one yet, either should
>> be fine).
>>
> Why? Just use public-key auth.
>
> Slap all your keys in LDAP, my fuse program caches keys incase your LDAP
> servers go walkies:
>
> http://www.digriz.org.uk/lpkfuse
>
> It's 2011, stop using password auth for SSH. :)
>
>> But eventually the DMZ ssh will need to be OTP. So I wanted to
>> be able to offer OTP as an option during transition for people to
>> try out and get used to while still being able to use their other
>> traditional password.
>>
> This sort of thing I probably would solve with PAM. Put in your
> /etc/pam.d/sshd file something like:
> ----
> auth sufficient pam_radius_auth.so
> auth required pam_opie.so
> ----
>
> SSH will try public-key, then fall onto password auth with RADIUS, then
> fall onto OTP's (via OPIE). You could replace pam_opie.so with another
> pam_radius_auth.so instance but pass 'conf=/etc/alt-config'.
>
>> So fallback in the case of one method (e.g. LDAP) being unavailable
>> is pretty easy. But in this case both methods would be available,
>> and I'd want to test the password against both methods.
>>
> For OTP to work, the user needs to be presented with a challenge, so get
> them to send a blank password (use unlang in authorize to catch this),
> then a challenge is returned and the auth becomes OTP (even if the
> challege is "Reply-Message := What does your fob say?".
>
>> Is this even possible? It seems like once it has found a working
>> module in authorize, it can only use that one module in authenticate.
>>
>> What's the solution?
>>
> Use PAM, it could be done with RADIUS, but for SSH you really need to
> join the rest of us here in 2011 :P
>
> Cheers
>
More information about the Freeradius-Users
mailing list