View previous topic :: View next topic |
Author |
Message |
reverendryan n00b
Joined: 13 Feb 2007 Posts: 9
|
Posted: Thu Aug 28, 2008 4:05 am Post subject: [basically solved]openssh RequiredAuthentications equivalent |
|
|
Given the recent rash of SSH vulnerabilities, exploits, and attacks, I'm trying to implement some sort of 2-factor (or 1-and-a-half-factor at the least) authentication. It seems the easiest thing to do would be to make openssh require both a public key and a (server-validated) password (PAM or not). The ssh.com version of ssh has a configuration option called RequiredAuthentications which does exactly what I would like - require one or more forms of authentication:
Code: |
RequiredAuthentications publickey,password
|
It's too bad, then, that net-misc/ssh is masked for removal from Portage.
I've found a few people around the net asking the same question as myself, such as this guy who gets pointed to a 3-year-old openssh bug, and an unresolved bug over at Debian (somewhat ironic, i think...). Unfortunately most of the threads I found elsewhere either had no replies, or linked to an old bug somewhere.
So, what am I to do? Leaving my systems allowing only key-based auth seems scary, and going back to passwords doesn't seem much better. Perhaps there's some trick that PAM can do that I'm not aware of?
Any insight would be greatly appreciated.
Last edited by reverendryan on Tue Sep 02, 2008 3:58 pm; edited 1 time in total |
|
Back to top |
|
|
di1bert l33t
Joined: 16 May 2002 Posts: 963 Location: Oslo, Norway
|
Posted: Fri Aug 29, 2008 7:34 am Post subject: |
|
|
Setup port knocking on your system. It does mean a little extra work on your side, but it's a great weekend project and will provide you with an extra level
of protection.
That with DenyHosts would add the extra security you require...
</0.02c>
-em |
|
Back to top |
|
|
reverendryan n00b
Joined: 13 Feb 2007 Posts: 9
|
Posted: Sat Aug 30, 2008 3:24 am Post subject: |
|
|
di1bert wrote: | Setup port knocking on your system. |
Thanks for the tip, I'll look into that.
di1bert wrote: | That with DenyHosts would add the extra security you require... |
I'm already using Denyhosts, the problem is the new attacks are using stolen (legitimate) keys, either following the chain of trust from the recently compromised RedHat servers, blacklisted keys from the Debian OpenSSH thing, or both. Basically I don't trust the other people with access to my boxen to not get their private keys stolen. |
|
Back to top |
|
|
notHerbert Advocate
Joined: 11 Mar 2008 Posts: 2228 Location: 45N 73W
|
Posted: Sat Aug 30, 2008 2:12 pm Post subject: |
|
|
Cookie ? Code: | * dev-perl/Apache-AuthCookie
Latest version available: 3.10
Latest version installed: [ Not Installed ]
Size of files: 34 kB
Homepage: http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/
Description: Perl Authentication and Authorization via cookies
License: Artistic |
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21558
|
Posted: Sat Aug 30, 2008 5:07 pm Post subject: |
|
|
reverendryan wrote: | Basically I don't trust the other people with access to my boxen to not get their private keys stolen. |
You could enforce key expiration. Set up a cron job that runs once a week/month/quarter that examines the authorized_keys files of the untrusted users and deletes any entries that were there last time and are still there this time. Then, any stolen key will be worthless after the next run of the cron job. |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Sun Aug 31, 2008 8:32 am Post subject: |
|
|
A user's account compromised does not necessarily lead to a system being compromised, if users are only granted sensible privileges (very few) and sensible file permissions are used.
Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH. Have you actually tried them?
Cheers,
jcat |
|
Back to top |
|
|
reverendryan n00b
Joined: 13 Feb 2007 Posts: 9
|
Posted: Tue Sep 02, 2008 3:58 pm Post subject: |
|
|
jcat wrote: | Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH. Have you actually tried them? |
I have, here are the results:
/etc/init.d/sshd start wrote: |
/etc/ssh/sshd_config: line 45: Bad configuration option: RequiredAuthentications
/etc/ssh/sshd_config: terminating, 1 bad configuration options
|
Hu wrote: | You could enforce key expiration. |
Good idea, I might do that as a one time thing. I'll have to make sure that the Windows users logging in know how to regenerate their keys, tho.
Thanks for the tips, everyone. I'm going to go ahead and mark this thread [basically solved], since I guess I'm not going to get what I want |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Tue Sep 02, 2008 7:13 pm Post subject: |
|
|
reverendryan wrote: | jcat wrote: | Anyway, as far as I know, AllowedAuthentications and RequiredAuthentications options work for OpenSSH. Have you actually tried them? |
I have, here are the results:
/etc/init.d/sshd start wrote: |
/etc/ssh/sshd_config: line 45: Bad configuration option: RequiredAuthentications
/etc/ssh/sshd_config: terminating, 1 bad configuration options
|
|
Apologies, yes your correct. It looks like the feature was requested once or twice on Bugzilla, but never implemented in OpenSSH.
I know you've marked this as solved but..
Are you not handing out keys _with_ passphrase anyway? That requires whoever logs in with the key to know the password for the key as well. That is 2 tier auth isn't it??
If your handing out keys with empty passphrases (generating key without entering a passphrase when prompted), that's not a good idea!
Cheers,
jcat |
|
Back to top |
|
|
reverendryan n00b
Joined: 13 Feb 2007 Posts: 9
|
Posted: Thu Sep 04, 2008 4:14 am Post subject: |
|
|
jcat wrote: | Are you not handing out keys _with_ passphrase anyway? That requires whoever logs in with the key to know the password for the key as well. That is 2 tier auth isn't it??
If your handing out keys with empty passphrases (generating key without entering a passphrase when prompted), that's not a good idea!
|
Thus far I haven't generated others' keys, they've generated them and given them to me out-of-band (on a flash drive). Perhaps what I'll do is "expire" their keys and generate new ones for them (with some warning, of course). It is possible to remove the password from a private key, (first google hit) but I'm not sure any of my users are crafty enough to do that.
The best solution still seems to be a RequiredAuthentications equivalent. I suppose I could create my own overlay and maintain my own patched version of openssh, but where would I find that kind of time?! |
|
Back to top |
|
|
PCGyver n00b
Joined: 15 Jan 2005 Posts: 5 Location: Poland
|
Posted: Thu Dec 06, 2012 11:59 am Post subject: |
|
|
I made some combinations
During logon I have to:
1. enter password for private key (retries depends from sshd_config)
2. enter password for user (retries depends from script /usr/scripts/sshauth.sh)
like:
Code: |
login as: pcgyver
Authenticating with public key "PCGyver Server Key"
Passphrase for key "PCGyver Server Key":
User password: User password: User password:
login as: pcgyver
Authenticating with public key "PCGyver Server Key"
Passphrase for key "PCGyver Server Key":
User password:
Access denied
User password:
Access denied
User password:
pcgyver@serwer ~ $
|
My user is in wheel group.
in sshd_config
Code: |
AllowUsers pcgyver
Match User pcgyver
ForceCommand /usr/scripts/sshauth.sh
|
and others changes to replace password login with key login. http://www.g-loaded.eu/2005/11/10/ssh-with-keys/
I made script /usr/scripts/sshauth.sh (chmod 755 /usr/scripts/sshauth.sh)
Code: |
#!/bin/bash
DEBUG=0
STD="\\033[0;39m"
OK="\\033[1;32m[OK]$STD"
ERR="\\033[1;31m[Err]$STD"
trap disconnect INT
disconnect() {
sleep 1
kill -9 $PPID
exit 1
}
debug() {
if test "$DEBUG" = 1 ; then
echo -e "$@"
fi
}
if test -z "$USER"
then
debug "$ERR USER environment variable is not set" > /dev/stderr
disconnect
fi
for try in 1 2 3
do
echo -n "User password: "
su $USER -c "exit" 2>/dev/null >/dev/null
rc=$?
if test "$rc" == 0
then
debug "$OK validated"
echo -en "\x0c"
if test -z "$SSH_ORIGINAL_COMMAND"
then
exec `grep "^$(whoami)" /etc/passwd | cut -d ":" -f 7`
else
exec "$SSH_ORIGINAL_COMMAND"
fi
disconnect
else
if test "$try" == 3; then
disconnect
else
echo
echo "Access denied"
fi
fi
done
|
|
|
Back to top |
|
|
|