From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 298221381F3 for ; Thu, 17 Oct 2013 07:04:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 57E69E0A40; Thu, 17 Oct 2013 07:04:26 +0000 (UTC) Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 378C7E09F5 for ; Thu, 17 Oct 2013 07:04:24 +0000 (UTC) Received: by mail-we0-f171.google.com with SMTP id t60so1754241wes.16 for ; Thu, 17 Oct 2013 00:04:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=kM79rIc4Yo6+N6BdaMPzNw7ynm2bS5KRSjZv0wOvzzI=; b=mB5F49G8PS7rbiabcAL3eyYhZn7/FjZBbta1i/rGH+9yNHjESaAQIMGSXbzaRzICsw MuEGBEs45ZgpatgbG+tsjD6xOKQXjyDuD4WhDlud1/AhSZhbVzMlVQcH4SekpZyNSfI0 /LYXlEgzdO6WshyoM/ezCiJ5uuGTIp9bIfXL1Mo4T0gT9EQo9cddVnoOhhzhKQ9aIqMm GP0LMxSKPCK9O9L90CaUejiapP7BlAxpMdmh63Wzdl8YKT78HF4Z9phm6JDRnWTt2G3O DIKDLbUnS4BvQv5FaR5+jH6ihWwkA9xjvQJ4fiEShqYwuoEgDT2uy7/enUr2yc1lKud+ C+FQ== X-Received: by 10.180.198.44 with SMTP id iz12mr5533549wic.32.1381993463814; Thu, 17 Oct 2013 00:04:23 -0700 (PDT) Received: from [10.1.20.197] (dustpuppy.is.co.za. [196.14.169.11]) by mx.google.com with ESMTPSA id gg20sm11937989wic.1.2013.10.17.00.04.22 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 17 Oct 2013 00:04:23 -0700 (PDT) Message-ID: <525F8AC3.2050504@gmail.com> Date: Thu, 17 Oct 2013 08:59:15 +0200 From: Alan McKinnon User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: scripted iptables-restore References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <525AAADE.7040700@orlitzky.com> <525ACC38.8060008@orlitzky.com> <525C36BC.1060602@libertytrek.org> <525C57D6.7020408@gmail.com> <20131016232151.GA25241@waltdnes.org> In-Reply-To: <20131016232151.GA25241@waltdnes.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 64bf6814-ba13-4da5-b672-df2e2b064569 X-Archives-Hash: a510fdde3d66cb2881f3dff921b87401 On 17/10/2013 01:21, Walter Dnes wrote: > On Mon, Oct 14, 2013 at 10:45:10PM +0200, Alan McKinnon wrote > >> Access to my backend network is two-factor - ssh keys and decent >> passwords. > > That is *NOT* Two-factor authentication. See > http://en.wikipedia.org/wiki/Multi-factor_authentication for the > details. Executive summary... Two-factor authentication requires you to > present two authentication factors each time. I.e. it's A *AND* B. > Your setup is A *OR* B. The usual implimentations include 2 factors... > 1) userID+password > 2) a small credit-card-sized unit that generates random-looking > multi-digit numbers that change every minute. > > In order to logon the user must enter both the userID+password combo > *AND* the current number on the token card. > It's a poor choice of words on my part. We do have that exact two-factor system to access the network via VPN, but that's just a portal. Accessing the actual backend network is a two stage process: ssh key to the jump host, then password to get onto the actual destination. So it's "two factor" as a generic English language phrase, not "two factor" as a technical description of an exact thing. Keep in mind that English is a highly overloaded language :-) -- Alan McKinnon alan.mckinnon@gmail.com