Tweet
We're going to enable two-factor auth ssh logins at work, but I was messing around with Duo Security for Unix on my own VPS and found the Duo Unix PAM module pretty intriguing.
There's a general CLI binary you can compile in the Duo Unix source where sshd can execute the command for auths, but this can technically be bypassed by the users through some crafty .bash_profile/.profile edits. Thus, there's a PAM module for better integration.
What's also cool is that even for those people using passwordless key authentication to ssh in, the second factor requirement will still kick in if configured. Thus, if someone has a stolen laptop/etc or leaves their workstation open, someone else can't just use their key'ed computer to ssh to the target host since sshd will still ask for a second factor (where the private key is the first).
Anyway, the intriguing aspect for this is that you can not only enable two-factor for the Unix system core, but the PAM stacks for other PAM capable applications, e.g. sudo, ksu, sshd via PAM, sftp, etc.
two-factor for sudo seems appealing in that various users are delegated some root level command rights in order to get applications installed, run updates, etc. Although, this seems like it could be overkill in that if the non-root user already two-factor'ed to shell into the system, then does another two-factor for the sudo'ed command, does this really accomplish anything short of auditing (where sudo already has auditing built-in; assuming you have sane system log configurations).
Anyone else using two-factor in their Unix environments?
There's a general CLI binary you can compile in the Duo Unix source where sshd can execute the command for auths, but this can technically be bypassed by the users through some crafty .bash_profile/.profile edits. Thus, there's a PAM module for better integration.
What's also cool is that even for those people using passwordless key authentication to ssh in, the second factor requirement will still kick in if configured. Thus, if someone has a stolen laptop/etc or leaves their workstation open, someone else can't just use their key'ed computer to ssh to the target host since sshd will still ask for a second factor (where the private key is the first).
Anyway, the intriguing aspect for this is that you can not only enable two-factor for the Unix system core, but the PAM stacks for other PAM capable applications, e.g. sudo, ksu, sshd via PAM, sftp, etc.
two-factor for sudo seems appealing in that various users are delegated some root level command rights in order to get applications installed, run updates, etc. Although, this seems like it could be overkill in that if the non-root user already two-factor'ed to shell into the system, then does another two-factor for the sudo'ed command, does this really accomplish anything short of auditing (where sudo already has auditing built-in; assuming you have sane system log configurations).
Anyone else using two-factor in their Unix environments?
Comment