* Ray Van Dolson <rvandol...@esri.com> [2015-05-20 22:55:41-0700]:
> Yubikey or Yubikey+AuthLite are nice solutions for machine logins.
> What other approaches are some of you using?

Google Authenticator works well for this task:

    https://github.com/google/google-authenticator/

Some nice things about it:

    - there are iPhone/Android apps for it

    - there is a port on FreeBSD to build a PAM module out of the box
      (security/pam_google_authenticator); there are similar packages
      for Linux

    - in addition to TOTP (time based one time passwords) it also gives
      you some single use password that you print and put in your wallet
      or wherever to use if your phone is not available

    - it works with LastPass and other password managers as well

    - apart from the smartphone app, there is no physical token to carry
      around (a la RSA SecureID)

It works as expected and is great if you're looking to implement
two-factor authentication on a budge. It only took me a few minutes to
get my FreeBSD servers running it (basically building the port and
adding a single line to /etc/pam.d/sshd)

Once everything is installed, you can ssh in using a key, then it's
bypassed. But if you ssh in and a password is needed to authenticate, it
will ask for the verification code on top of that:

    $ ssh example.org
    Password for u...@example.org: [enter password here]
    Verification code: [enter TOTP here]
    Last login: Fri Apr  3 02:12:48 2015 from example.edu
    FreeBSD 10.1-RELEASE-p6 (GENERIC) #0: Tue Feb 24 19:00:21 UTC 2015

    Welcome to FreeBSD!
    [...]

The only difference from a normal ssh session is the addition of that
verification code prompt.

hth,
Thomas
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to