Page MenuHomeDevCentral
Create Task
Maniphest T783

Run an extra SSH server on Ysul for OTP/Yubikey
Closed, ResolvedPublic
Actions

Description

When I were thinking about authentication methods for Eglide, I've come with a plan to both discourage password bruteforce attack and password confusion among users.

Current SSH configuration allows three methods of login:

  • public key
  • OTP
  • YubiKey, as an easy to use OTP, and not at a two factor auth

We disable challenge/response methods on the port 22, so only public key is allowed.

We then start a SSH server in a new port, to allow OTP and YubiKey auth.

That will discourage bruteforce attacks, and newcomers won't be puzzled by our SSH prompt when their key doesn't work:

[ No SSH key detected. Switching to OTP mode. Regular passwords are unsupported. ]
otp-md5 222 ys8606 ext
Password:

Event Timeline

dereckson claimed this task.Mar 13 2016, 20:05
dereckson added a subscriber: dereckson.
dereckson triaged this task as Low priority.Mar 13 2016, 20:12
dereckson updated the task description. (Show Details)
dereckson added projects: Servers, security.
dereckson raised the priority of this task from Low to Normal.Apr 1 2016, 21:44

New users are puzzled by the prompt.

We should take care of that now.

dereckson added a comment.Apr 1 2016, 21:50

Hmmm, we need to recompile another OpenSSH server to be able to change the PAM service name

Reference: http://serverfault.com/questions/117775/multiple-sshd-instances-using-different-pam-configurations

dereckson added a comment.Apr 2 2016, 01:15

This works:

Ysul
$ cp /usr/sbin/sshd /usr/sbin/sshd-with-otp
$ cp /etc/pam.d/sshd /etc/pam.d/sshd-with-otp
$ /usr/sbin/sshd-with-otp -f /etc/ssh/sshd-with-otp_config
$ $EDITOR /etc/ssh/sshd_config
(set "ChallengeResponseAuthentication no" to disable PAM)
$ service sshd restart

Still to do: create a service for /usr/sbin/sshd-with-otp

dereckson added a project: Eglide.Aug 4 2016, 01:51
dereckson closed this task as Resolved.Aug 14 2016, 00:56
dereckson removed a project: Eglide.
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator