On 3/24/25 05:39, jeremy ardley wrote:
On 24/3/25 12:29, jeremy ardley wrote:
You could use MFA on the SSH connection and then use certificates to
establish the VPN connection?
My SSH MFA setup has clients must connect using a certificate, then
they must enter a pasword, and then they must complete a google
authenticator.
It is possible to configure OpenVPN with MFA such as google
authenticator, but other mechanisms are possible.
I should mention that having an internet facing ssh service is usually a
very bad idea. The 'better' approach is to have only a VPN exposed and
use heavy security on that. Once the VPN link is established you can ssh
through the VPN to internal systems.
This is realy the best way forward.
An other MFA alternative is PKI and user/ PWD prompt and optionaly 2FA.
--
John Doe
