* Ray Van Dolson <rvandol...@esri.com> [2015-05-20 22:55:41-0700]: > Yubikey or Yubikey+AuthLite are nice solutions for machine logins. > What other approaches are some of you using?
Google Authenticator works well for this task: https://github.com/google/google-authenticator/ Some nice things about it: - there are iPhone/Android apps for it - there is a port on FreeBSD to build a PAM module out of the box (security/pam_google_authenticator); there are similar packages for Linux - in addition to TOTP (time based one time passwords) it also gives you some single use password that you print and put in your wallet or wherever to use if your phone is not available - it works with LastPass and other password managers as well - apart from the smartphone app, there is no physical token to carry around (a la RSA SecureID) It works as expected and is great if you're looking to implement two-factor authentication on a budge. It only took me a few minutes to get my FreeBSD servers running it (basically building the port and adding a single line to /etc/pam.d/sshd) Once everything is installed, you can ssh in using a key, then it's bypassed. But if you ssh in and a password is needed to authenticate, it will ask for the verification code on top of that: $ ssh example.org Password for u...@example.org: [enter password here] Verification code: [enter TOTP here] Last login: Fri Apr 3 02:12:48 2015 from example.edu FreeBSD 10.1-RELEASE-p6 (GENERIC) #0: Tue Feb 24 19:00:21 UTC 2015 Welcome to FreeBSD! [...] The only difference from a normal ssh session is the addition of that verification code prompt. hth, Thomas _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/