Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[basically solved]openssh RequiredAuthentications equivalent
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
reverendryan
n00b
n00b


Joined: 13 Feb 2007
Posts: 9

PostPosted: Thu Aug 28, 2008 4:05 am    Post subject: [basically solved]openssh RequiredAuthentications equivalent Reply with quote

Given the recent rash of SSH vulnerabilities, exploits, and attacks, I'm trying to implement some sort of 2-factor (or 1-and-a-half-factor at the least) authentication. It seems the easiest thing to do would be to make openssh require both a public key and a (server-validated) password (PAM or not). The ssh.com version of ssh has a configuration option called RequiredAuthentications which does exactly what I would like - require one or more forms of authentication:
Code:

RequiredAuthentications      publickey,password

It's too bad, then, that net-misc/ssh is masked for removal from Portage.

I've found a few people around the net asking the same question as myself, such as this guy who gets pointed to a 3-year-old openssh bug, and an unresolved bug over at Debian (somewhat ironic, i think...). Unfortunately most of the threads I found elsewhere either had no replies, or linked to an old bug somewhere.

So, what am I to do? Leaving my systems allowing only key-based auth seems scary, and going back to passwords doesn't seem much better. Perhaps there's some trick that PAM can do that I'm not aware of?

Any insight would be greatly appreciated.


Last edited by reverendryan on Tue Sep 02, 2008 3:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
di1bert
l33t
l33t


Joined: 16 May 2002
Posts: 963
Location: Oslo, Norway

PostPosted: Fri Aug 29, 2008 7:34 am    Post subject: Reply with quote

Setup port knocking on your system. It does mean a little extra work on your side, but it's a great weekend project and will provide you with an extra level
of protection.

That with DenyHosts would add the extra security you require...

</0.02c>

-em
Back to top
View user's profile Send private message
reverendryan
n00b
n00b


Joined: 13 Feb 2007
Posts: 9

PostPosted: Sat Aug 30, 2008 3:24 am    Post subject: Reply with quote

di1bert wrote:
Setup port knocking on your system.

Thanks for the tip, I'll look into that.


di1bert wrote:
That with DenyHosts would add the extra security you require...

I'm already using Denyhosts, the problem is the new attacks are using stolen (legitimate) keys, either following the chain of trust from the recently compromised RedHat servers, blacklisted keys from the Debian OpenSSH thing, or both. Basically I don't trust the other people with access to my boxen to not get their private keys stolen.
Back to top
View user's profile Send private message
notHerbert
Advocate
Advocate


Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W

PostPosted: Sat Aug 30, 2008 2:12 pm    Post subject: Reply with quote

Cookie ?
Code:
*  dev-perl/Apache-AuthCookie
      Latest version available: 3.10
      Latest version installed: [ Not Installed ]
      Size of files: 34 kB
      Homepage:      http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/
      Description:   Perl Authentication and Authorization via cookies
      License:       Artistic
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8828

PostPosted: Sat Aug 30, 2008 5:07 pm    Post subject: Reply with quote

reverendryan wrote:
Basically I don't trust the other people with access to my boxen to not get their private keys stolen.


You could enforce key expiration. Set up a cron job that runs once a week/month/quarter that examines the authorized_keys files of the untrusted users and deletes any entries that were there last time and are still there this time. Then, any stolen key will be worthless after the next run of the cron job.
Back to top
View user's profile Send private message
jcat
Veteran
Veteran


Joined: 26 May 2006
Posts: 1337

PostPosted: Sun Aug 31, 2008 8:32 am    Post subject: Reply with quote

A user's account compromised does not necessarily lead to a system being compromised, if users are only granted sensible privileges (very few) and sensible file permissions are used.


Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH. Have you actually tried them?



Cheers,
jcat
Back to top
View user's profile Send private message
reverendryan
n00b
n00b


Joined: 13 Feb 2007
Posts: 9

PostPosted: Tue Sep 02, 2008 3:58 pm    Post subject: Reply with quote

jcat wrote:
Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH. Have you actually tried them?


I have, here are the results:
/etc/init.d/sshd start wrote:

/etc/ssh/sshd_config: line 45: Bad configuration option: RequiredAuthentications
/etc/ssh/sshd_config: terminating, 1 bad configuration options


Hu wrote:
You could enforce key expiration.

Good idea, I might do that as a one time thing. I'll have to make sure that the Windows users logging in know how to regenerate their keys, tho.

Thanks for the tips, everyone. I'm going to go ahead and mark this thread [basically solved], since I guess I'm not going to get what I want :)
Back to top
View user's profile Send private message
jcat
Veteran
Veteran


Joined: 26 May 2006
Posts: 1337

PostPosted: Tue Sep 02, 2008 7:13 pm    Post subject: Reply with quote

reverendryan wrote:
jcat wrote:
Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH. Have you actually tried them?


I have, here are the results:
/etc/init.d/sshd start wrote:

/etc/ssh/sshd_config: line 45: Bad configuration option: RequiredAuthentications
/etc/ssh/sshd_config: terminating, 1 bad configuration options



Apologies, yes your correct. It looks like the feature was requested once or twice on Bugzilla, but never implemented in OpenSSH.

I know you've marked this as solved but..

Are you not handing out keys _with_ passphrase anyway? That requires whoever logs in with the key to know the password for the key as well. That is 2 tier auth isn't it?? :)

If your handing out keys with empty passphrases (generating key without entering a passphrase when prompted), that's not a good idea!



Cheers,
jcat
Back to top
View user's profile Send private message
reverendryan
n00b
n00b


Joined: 13 Feb 2007
Posts: 9

PostPosted: Thu Sep 04, 2008 4:14 am    Post subject: Reply with quote

jcat wrote:
Are you not handing out keys _with_ passphrase anyway? That requires whoever logs in with the key to know the password for the key as well. That is 2 tier auth isn't it?? :)

If your handing out keys with empty passphrases (generating key without entering a passphrase when prompted), that's not a good idea!


Thus far I haven't generated others' keys, they've generated them and given them to me out-of-band (on a flash drive). Perhaps what I'll do is "expire" their keys and generate new ones for them (with some warning, of course). It is possible to remove the password from a private key, (first google hit) but I'm not sure any of my users are crafty enough to do that.

The best solution still seems to be a RequiredAuthentications equivalent. I suppose I could create my own overlay and maintain my own patched version of openssh, but where would I find that kind of time?! :roll:
Back to top
View user's profile Send private message
PCGyver
n00b
n00b


Joined: 15 Jan 2005
Posts: 5
Location: Poland

PostPosted: Thu Dec 06, 2012 11:59 am    Post subject: Reply with quote

I made some combinations
During logon I have to:
1. enter password for private key (retries depends from sshd_config)
2. enter password for user (retries depends from script /usr/scripts/sshauth.sh)
like:

Code:

login as: pcgyver
Authenticating with public key "PCGyver Server Key"
Passphrase for key "PCGyver Server Key":
User password: User password: User password:
login as: pcgyver
Authenticating with public key "PCGyver Server Key"
Passphrase for key "PCGyver Server Key":
User password:
Access denied
User password:
Access denied
User password:
pcgyver@serwer ~ $


My user is in wheel group.

in sshd_config
Code:

AllowUsers pcgyver

Match User pcgyver
        ForceCommand /usr/scripts/sshauth.sh

and others changes to replace password login with key login. http://www.g-loaded.eu/2005/11/10/ssh-with-keys/

I made script /usr/scripts/sshauth.sh (chmod 755 /usr/scripts/sshauth.sh)

Code:

#!/bin/bash
DEBUG=0

STD="\\033[0;39m"
OK="\\033[1;32m[OK]$STD"
ERR="\\033[1;31m[Err]$STD"

trap disconnect INT

disconnect() {
  sleep 1
  kill -9 $PPID
  exit 1
}

debug() {
  if test "$DEBUG" = 1 ; then
    echo -e "$@"
  fi
}

if test -z "$USER"
then
  debug "$ERR USER environment variable is not set" > /dev/stderr
  disconnect
fi

for try in 1 2 3
do
   echo -n "User password: "
   su $USER -c "exit" 2>/dev/null >/dev/null

   rc=$?

   if test "$rc" == 0
   then
      debug "$OK validated"
      echo -en "\x0c"
      if test -z "$SSH_ORIGINAL_COMMAND"
      then
         exec `grep "^$(whoami)" /etc/passwd | cut -d ":" -f 7`
      else
         exec "$SSH_ORIGINAL_COMMAND"
      fi
      disconnect
   else
      if test "$try" == 3; then
         disconnect
      else
         echo
         echo "Access denied"
      fi
   fi
done
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum