On its own, this is not 2FA. It's single factor ("something you
have").

A combination of Google Authenticator _and_ password is 2FA. This is
easy to do with PAM.
This is 2FA in that you need the private key and the passphrase for it.
Unfortunately this can't be enforced at the server; it's client side.
That's because the client could _remove_ the passphrase and reduce
it to "something you have". The server can't tell the difference.
So, from a controls perspective, you have to assume "single factor".

Agreed
I don't agree - being able to unlock a private key is just part of
"possessing" it.

OTOH publickey+password authentication could be considered 2FA. Ideally
with the key rendered practically uncloneable by holding it on a token, etc.

-d

Hi Gentlemen,

Thank you both for your valued opinion. I do however agree that public key
authentication cannot be fully considered MFA as have 2 PCI QSAs I have
spoken with. This is because it is not enforceable server side. Many
things can affect client side security.

It is distributable and not enforceable at a single point.
The key can be regenerated or downloaded again and regenerated to remove
the paraphrase making it single factor authentication.
Keystoke loggers can log the keystrokes to unlock the key and capture it in
band on the client.
RSA and OTP generated by google authenticator w/password authentication can
occur out of band and since enforceable on the server side are much more
difficult to breach.

Again, I want to thank you both for your valued opinion and which everyone
a very great day.

Sincerely,
Bruce F. Bading
Senior Security Consultant

IBM Systems and Technology Group
830-237-6851
***@us.ibm.com
member ISACA since 1985


"United We Stand"

For those with risk, your time to remediate is today.
For those who have been breached, your time to remediate was yesterday!



From: Damien Miller <***@mindrot.org>
To: Stephen Harris <***@spuddy.org>
Cc: Bruce F Bading/Austin/***@IBMUS, openssh-unix-***@mindrot.org
Date: 07/04/2016 01:04 AM
Subject: Re: SSH multi factor authentication
Agreed
which
I don't agree - being able to unlock a private key is just part of
"possessing" it.

OTOH publickey+password authentication could be considered 2FA. Ideally
with the key rendered practically uncloneable by holding it on a token,
etc.

-d

It's not merely possible. It's popular, and nearly inevitable. And
unless you can enforce use of a designated public key on the server
side, for example by breaking ownership checks and making the file and
directories owned by root with user groupo access, or by
auto-replacing $HOME/.ssh/authorized_keys, well, the user can replace
the key at whim with their own insecure key.

And most users *will* follow the default ssh-keygen behavior and use
no passphrase whatsoever. That's been a problem since.... 1995, when
SSH-1 was first written by Tatu Ylonen.

I'd still like to see "ssh-keygen" require a command line flag to
allow blank passwords, instead of the current default behavior. But
when I've suggested it among users, they've explained their firm
rejection of it in impolite terms.

Ben, I'm not trying to say it's not wise and sensible to go write a
non-standard, unsupported, and potentially root access destabilizing
non-standard workaround to shove user keys in a separate, locked,
down, root owned repository managed by someone other than the
individual user.

Actually, come to to think of it, I am saying it's an idea that many
admins do reject and should reject.. It's easy to do at first glance.
But taking manual control of sshd_config can be fragile, and can
breadk restarts of sshd. I don't recommend it for the faint-hearted
and those without test environments with local console access.
Yes, you can hand modify or plug in a wrapper to modify sshd_config
and try to keep it consistent with OpenSSH release changes. It's
sometimes proven a finicky task.
Me, too. I haven't noticed any good ones. Even the chef "openssh"
cookbook doesn't have good default options for the different OpenSSH
variants, and tends to screw up SFTP settings if you use the cookbook.
I agree with this argument.
This is the kind of thing I really, really don't recommend for the
faint of heart or the wise of maintenance. This sort of trick quickly
leds to the infamous XKCD "automation" chart, shown at
https://xkcd.com/1319/ .
People *do* steal private SSH keys and other keys off computers, both
laptops and servers, all the time. I've certainly done it as a proof
of concept.

The last time, it was a "Linux architect" who erected an SSH tunnel
between servers at work and his home machine, with unencrypted SSH
private keys stored in his home direcotry on ech end, and published on
NFS shares. I was pretty shocked, but that kind of thing is not that
unusual. Keys get stolen by this kind of silliness *all the time*.

You'd do this by either moving the authorized_keys to another a root
owned location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile
/etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand"
and put the keys into a "database" to reference them via a simple
root-owned program.

Personally I'd use the AuthorizedKeysCommand for this setup as it would
provide for a better programmatic way of managing keys.

- Ben

Yeah, that's doable. It's very rare, though. Many people prefer not to
touch the default sshd_config if they can avoid it. And maintaining
those keys as the root user to lock these credentials may not be work
most admins want to take on.
Then you have to write, or activate and maintain, yet another tool.
Feasible, but not many folks consider it worth the work. I've *done*
things like that, way back with some "one-time password" tools I used
back in the remote 9600 baud modem era.

Many of us prefer not to mess with PAM, Systemd, apache, and other
configuration files, and would love
to just install the system and use it without having to lift a finger to
ever configure it. But sadly, life doesn't
permit us all that luxury. So it is a poor argument. Besides, anyone
maintaining a decent amount of
machines not using puppet, salt, ansible, or <insert new shiny
management tool here> is doing themselves
and their company a disservice.
My response was to your comment "And unless you can enforce use of a
designated public key on
the server side, for example by breaking ownership checks and making the
file and directories owned by
root with user groupo access, or by auto-replacing
$HOME/.ssh/authorized_keys, well, the user can
replace the key at whim with their own insecure key."

So if the admin doesn't care about the restrictions you stated. Then they don't
have to change the sshd_config. However, if they do then they are stepping out
from the defaults. Just like how those that want chroot sftp enabled need to
step out from the defaults. Just like those that need root access via authorizes
keys need to step out from the defaults.
We've all written horrible stuff to satisfy business requirements. Our
universe, as admins,
is scattered with many "yet another tool" or "yet another set of
packages" to maintain for
security or for our users to do their jobs.

So if the above is a requirement for your fictional admin then a tool
will need to be written.
And OpenSSH has already provided the means today by which it can easily
integrate in.
However, I would hope that it is a well written tool, and it can be
shared with the community
so it doesn't become a one-off burden.



Anyways, the question still boils down to is Google Authenticator +
Authorized Keys (with or
without password) 2FA. And honestly I'm going to have to state it is
2FA in both cases.

The argument is simple. If I use a password management tool (that
requires me to unlock
it with a different password) that auto fills in my Blizzard Battle.net
login/password then I use
the Blizzard's authenticator and type in the random code do I have 2FA?

Clearly, I've not typed my password. I may NOT EVEN KNOW my password
(which is true
in this case as it is a nasty auto-generated beast =). So it is
basically the same as the
2048bit RSA authorized key I use in SSH. I use a password to decrypt
access,
but I only really possess both as I don't have them memorized.

To complete the comparison I can write myself a password manager that
doesn't require
me to unlock (e.g. most "remember my password" crap in browsers). So
the fact it is if
my password is protected or not doesn't change my knowledge (or lack of)
of the
password.

The same goes for RSA keys. Someone can steal my password manager, hack
it, and
gain access. Just like they could steal steal my RSA keys off my laptop.


Ben

In general it's worth to put a lot of thinking in this topic considering how SSH
access is used by all your operators. Think of ansible, cluster SSH, fabric and
other automation tools for mass administration of many machines via SSH.
Security OATH-HOTP or OATH-TOTP relies on keeping a shared secret really secret
and securely authenticate it during enrollment process. Personally I don't
consider a Smartphone to be a secure secret store. YMMV.
Some valuable security aspects were already pointed out by others.

Especially you have to restrict the management of SSH authorized keys by some means.

Another thing you have to bear in mind is that the usual smart-cards, USB crypto
tokens or similar are pretty slow. For one signature operation most devices
still need at least ~ one second. That does not sound much but can sum up when
accessing managing many machines at once (again: ansible, cluster SSH, fabric).

More information upon request since it might be considered off-topic here.

Ciao, Michael.