This Time Self-Hosted
dark mode light mode Search

OpenSSH 6.2 adds support for two-factor authentication

OpenSSH releases are always interesting, they never go without at least introducing one feature that makes paranoid security conscious people and no exception is OpenSSH 6.2 which was just released. In particular in this case I was very happy to read:

sshd(8): Added support for multiple required authentication in SSH
protocol 2 via an AuthenticationMethods option. This option lists
one or more comma-separated lists of authentication method names.
Successful completion of all the methods in any list is required for
authentication to complete. This allows, for example, requiring a
user having to authenticate via public key or GSSAPI before they
are offered password authentication.

What’s going on is not extremely obvious, but basically it means that you can now chain, instead of replace, the authentication method. Okay, step back. Have you ever noticed that when ah SSH connection fail, often enough you have a message saying public-key,keyboard-interactive? That means that it tried, in sequence, the two options, and when they failed, it refused the connection. Any of the two would have been enough for a successful connection. This is akin to the sufficient option in PAM, which means that a single positive result is enough to produce a valid login. The new option in this version of OpenSSH is equivalent to PAM’s requisite option, so if any of the configured login methods fails, the connection is dropped.

So why is this important? Well, this allows two-factor – or actually multi-factor – authentication, as now just having access to your laptop with an unprotected SSH key might not be enough to enter your critical servers. In my case, that would become at least a three-factor authentication as I could make it pass through my SmartCard (which requires the physical card and knowledge of its PIN), and then ask me the password itself.

Since the second factor can be PAM itself, there is no reason why you cannot add more than one factor there. In particular you might remember that just last year I looked into two-factor authentication options and in particular I looked into DuoSecurity — unfortunately, using DuoSecurity as is with PAM is a bit of a mess. I did send a patchset to upstream to make the PAM module more useful, and reliable – among other things making it feasible to use with sudo, so that get asked the second factor only when executing commands as root – but upstream does not care. It doesn’t fit their marketing and their main consulting target, so they basically left me dangling there with a patchset that is now probably to forwardport.

If you’re interested in getting a version of duo_unix with my patchset apply available in Portage (and available in source form for other distributions), i suggest you poke Jon and Doug at DuoSecurity, and ask them about it. If they were to ask me I would be glad to forwardport the patches, and change them as needed if they don’t like the precise way I wrote them. But I reached out enough myself, trying to help them with the packaging, – including proposing to just chat on the phone about what they want to do with it while I was in the US – at this point it’s their turn.

Alternatively, I’m pretty sure you can use YubiKey but I never ended up having one of them in my hands.

Comments 4
  1. A far more interesting change is that they added support to get authorized_keys from a program. Andrea (lcars) proposed this a decade ago, instead of patching in LDAP, and now it’s finally possible

  2. The hilarious thing about this post is that you used PAM concepts (requisite, sufficient) to help explain OpenSSH. In my devops circles, PAM is the thing we like to touch the least 😛 Nobody likes reading PAM man pages or configuring it manually.Otherwise, good to head SSH supports this 🙂

  3. Then it looks like your devops circles do not know the first thing about system administration…Seriously, you may say that you don’t know PAM, but expecting it to “not be touched” reminds me why I dislike the term “devops” that much.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.