Protecting sshd - Was: SSHguard & IPFW

[Christopher Hilton]

On Oct 1, 2015, at 3:08 PM, Christopher Hilton <chris at vindaloo.com> wrote:
> 
>> There are two ports which provide a pam module which is very handy for adding two factor authentication to ssh. security/oath-toolkit is the one I use but there is also security/pam_google_authenticator. With one of these you can add a line to /etc/pam.d/sshd and use an app on your phone which supports HOTP/TOTP, I personally use the Google Authenticator app. You generate a secret and scan it into the phone with a QR code and it shows a 6 digit number which changes every 30 seconds.
>> 
>> Then if you log in to ssh with a certificate it works like normal. If you log in to ssh with a password then it *also* asks for the latest code from your phone in addition to the password. Hugely more secure as even if somebody on the internet knows your password, it's highly unlikely they will also know the code currently displayed on your phone.
> 
> I would add that to my bag of tricks and consider it worlds more secure than sshd with only passwords. Is this the same Authenticator App that Google uses for two factor? I’m not sure where I would put it on the spectrum between Passwords Alone and Ssh-Keys Alone but it would be far enough along on the More Secure side that I would trust it.
> 

Duh, you could just read the email rather than skimming it and make a smart assumption from the name "security/pam_google_authenticator". :-)


Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20151001/b354b166/attachment.bin>