On Tue, Mar 5, 2013 at 1:04 PM, Stuart Henderson <s...@spacehopper.org> wrote: >> >> I am aware that "more secure" depends on the situation, such a whether >> >> the login is happening from a trusted terminal, how is the secret key >> >> stored on the device that is generating TOTP, is the public key >> >> encrypted, etc. But what are your thoughts in general? >> > >> > I think it totally depends on the situation and can't really be applied >> > in general.. Either of them can be made to be unsafe. >> >> That makes sense. I guess it all depends on your trust relationship >> with the party whom you are allowing to connect to your hosts. > > To illustrate: if you don't trust users to keep their authorized_keys > file encrypted, you might want to require additional authentication (password > or OTP). Or if you don't want the replay window that TOTP gives then you > might want the second factor of a public key authentication.
100% agree. Having unencrypted private keys was one of the reasons that I have started looking into OTP/TOTP. At this point, I think it is probably better to force "untrusted" users (those who cannot be trusted to keep their private keys encrypted) to use TOTP with sufficiently long passwords (login_totp-and-pwd) and allow trusted users a bit more freedom. But as you have mentioned before, it all depends on the situation and use case, so not a general recommendation. >> > OpenSSH has this in -current, see sshd_config(5) AuthenticationMethods. >> >> That is great! I will definitely give it a go. > > It might also be worth pointing out that this can be used in a Match > block, therefore if wanted you can permit access from known addresses of > secured hosts with just an SSH key, but require an additional password/OTP > for connections from other addresses. This is definitely something that I will use more of as the configuration starts to get more complex. In general, the more I use OpenBSD (and Open* friends), the more I love it. The simplicity and elegance of these systems is just too awesome! :) Thanks! --peter
