from Hacker News

Using two-factor authentication for SSH

by kn9 on 1/12/16, 5:04 AM with 47 comments

  • by lrvick on 1/12/16, 9:19 PM

    There is already a standard solution for this imo. Get a GPG smartcard like a Yubikey and put an Authentication subkey on it.

    Now to ssh to anything, clone from Github, etc you insert your Yubikey, and enter your pin to unlock it. A gpg-agent process is created that acts as a standard ssh agent.

    No server modifications required and you get strong hardware backed 2FA. The ssh private key never enters system memory and could not be stolen even by an untrusted machine.

    If the smartcard itself is stolen, it will brick itself on 3 incorrect pin attempts.

    The same device can also store all your OTP tokens or behave as U2F depending on what a service supports so the end game is secrets no longer live on disk or in memory on your systems.

    This also integrates well on Android devices via the Yubikey Neo with apps like Yubico Authenticator and Open Keychain,

  • by georgyo on 1/12/16, 5:07 PM

    The biggest problem with using google authenticator as a two factor mechanism is if you are managing many servers, is that each server needs to have its own setup. If they share keys, and one server gets compromised, they can generate keys for your other servers. As a result, you also cannot automated the process of deploying two factor on your servers.

    A simpler and more robust method is SSH Keys + Passwords. I should write a blog post on this...

  • by backslash on 1/12/16, 4:27 PM

    Very Happy to see 2FA on SSH becoming more and more popular. One of the primary reasons my team has seen smart phones being used as the soft token is the ease of deployment argument, people already have the phone with them. With Yubikeys (not that they are cumbersome) but for some IT groups the "perceived" hassle involved (if a key breaks and have to reissue a new one) is a concern. You can lose your phone too, but some customers think that a phone has more chances of not being forgotten. We've also seen IT groups being quite comfortable using soft tokens because they have been using them for SaaS apps - whether its authy/GA or anything else, I guess familiarity kind of desenstizes the analysis of a risk vector.

  • by cornelinux on 1/12/16, 10:39 PM

    Not sure if to use SSH keys? Or Yubikey? Or Google Authenticator? On a whole bunch of machines?

    Why not have it all?

    Using privacyIDEA [1] you can

    * manage SSH Pub keys for several servers * manage your Google Authenticator centrally * manage Yubikeys centrally or whichever OTP token.

    In addition you can combine it to use the Google Authenticator or any other OTP ++PLUS++ SSH keys [2].

    [1] http://privacyidea.org [2] https://www.privacyidea.org/ssh-keys-and-otp-really-strong-t...

  • by Freak_NL on 1/12/16, 9:34 AM

    If you have public-facing SSH daemons running, adding 2FA seems sensible. Google Authenticator essentially turns another computing device (the smartphone) into an ersatz hardware token. While this does increase security, I don't like the trend of turning the smartphone into a universal second factor.

    Alternatively, you could go for a dedicated hardware token such as Yubico's FIDO U2F [1] keys [2]. Hardware tokens that use the fledgling FIDO U2F standard can also be used with PAM and SSH as well [3].

    Two U2F keys (one backup) will cost around $40, and can be used with a growing number of webservices, including GitHub, DropBox, and GMail as well. The small form factor means you can put the key on your (physical, real world) keychain.

    1: https://fidoalliance.org/specifications/overview/

    2: https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...

    3: https://developers.yubico.com/pam-u2f/

  • by matthiasb on 1/12/16, 6:10 PM

    I am using smart card authentication for SSH, I documented it here: http://codebazaar.blogspot.com/2014/07/how-to-ssh-with-your-...

  • by ewindisch on 1/12/16, 5:44 PM

    A far more simple solution is to require both SSH key and password. Something you have (a key) and something you know. You can even store your ssh key on a Yubikey, if you'd like.

  • by doublerebel on 1/12/16, 5:51 PM

    I've been using Duo Security to add 2FA on SSH and other services on my SmartOS instances. It's really easy and the price is pretty low compared to the amount of work it would take to manage the keys and manual implementations.

    In theory I could worry about Duo going down, but I also rely on other critical cloud services and do have other ways to access an instance in an emergency (and Duo supports fallbacks).

    Simplicity can be deceiving. In this case I think leaving security to the pros is worth the tradeoff. I've previously relied on cloud services for secure user management and wasn't let down.

  • by PTRFRLL on 1/12/16, 4:56 PM

    Authy provides something similar, I wonder if one is better than the other.

    https://github.com/authy/authy-ssh

  • by newman314 on 1/12/16, 9:31 PM

    Using 2FA is all well and good but what I haven't found is a good solution for managing ssh keys for an organization/group. Would love to get some recommendations here.

  • by e40 on 1/12/16, 6:59 PM

    I prefer SSH keys with passwords + knocking for the ssh port (!= 22).