On 2011 Jul 22, at 14:57, Paul Graydon wrote: > On 07/22/2011 09:29 AM, Mark McCullough wrote: >> >> I'm of the firm opinion that passwords themselves are the problem. We >> forbid any user account having a password on a Unix system, and are working >> to even implement such on Windows systems. Instead, some form of strong >> authentication is utilized. This actually helped reduce our support costs, >> and simplifies many things by not having to worry about password complexity >> requirements anymore. >> >> The only password I accept is the password of last resort -- root. >> > > SSH keys can be stolen (trojan infected workstation, someone leaves their > laptop unlocked at starbucks, or their desktop unlocked on their desk) and > biometric auth systems can be fooled..I'm rather curious, how are you > securing authentication? > > I'm more inclined to look to 2-factor or other multiple stage authentication. > No matter what policies you set or however much training you provide, people > will not stick to good security practices even in the military. Convenience > always trumps security, even though it shouldn't. Of course the best > security is making sure people don't have access to anything, deny by > default, permit grudgingly :)
The definition of strong authentication I've always learned is multi-factor authentication. There are a few ways to do it, but the obvious method is various PAM modules for Unix. Have a PAM module that performs your multi-factor authentication, and now all PAM aware utilities (sudo, ssh, etc.) work with it. There is also a common misconception that control equals security. SSH public keys and similar decentralized authentication are examples of security without control. Can one bypass? Of course. No matter what one tries, the end user can bypass it if you make security too onerous. Trying to centrally control it actually makes a place where one person could easily compromise lots of accounts. The goal is to make users want to be secure themselves and for it to be easy for them to do so, and have enough logging that they can't evade security without you have a very good chance of detecting it. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough mmc...@earthink.net _______________________________________________ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
