From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
Date: Fri, 18 Oct 2013 16:33:18 +0200 [thread overview]
Message-ID: <526146AE.6000409@gmail.com> (raw)
In-Reply-To: <52614028.7090607@libertytrek.org>
On 18/10/2013 16:05, Tanstaafl wrote:
> On 2013-10-18 7:19 AM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>> On 18/10/2013 12:23, Tanstaafl wrote:
>>> On 2013-10-17 10:30 PM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>>>> I apologize. That is arguably a two factor system. When you said
>>>> "ssh key and password", I "jumped to delusions", assuming that it was a
>>>> standard ssh connection with the option of either key or password.
>>>
>>> Side question...
>>>
>>> So, wouldn't the simplest two-factor authentication be an SSH key that
>>> required a password?
>
>> No, there is no way to verify that a user has enabled a passphrase on an
>> ssh key.
>
> No... I mean...
>
> If I create an SSH key that requires a password (ie, not a 'blank'
> password), then when I use this ssh key to connect to the system it was
> created for, and it asks for the password...
>
> This is, as far as I can see, a poor man's 'two-factor' authentication,
> is it not?
>
I think you are misunderstanding how ssh keys work.
You do not create "an SSH key that requires a password", instead the
user sets up private key encryption locally with a secret. To use the
key it must be unlocked (decrypted) and only then can ssh use it. This
is completely under the USER's control, who is free to protect or not
protect the private key as they feel like. sshd on the server is unable
to enforce or influence this in any way.
Secondly, the statement "use this ssh key to connect to the system it
was created for" is nonsensical. A key pair has two components - public
and private keys, and the only thing sshd cares about is whether the
user connecting has the matching private key to the public one sshd can
read locally. The user is free to use that public key on as many or as
few servers as he feels like, and again sshd is in no position to
enforce or influence this. It is completely up to the user what he does
with his keys.
Perhaps you mean that on the server end the user's account has a
password defined and sshd is configured to use PAM. The PAM config could
require that the user authenticates successfully with ssh keys AND with
the Unix password before logging the user in. This can be done, but it
is not a common configuration and does not ship out the box. It will
also confuse the living daylights out of the average user who at least
in my world is unable to differentiate between a local ssh prompt for a
key passphrase, and a remote telnet prompt for a password...
--
Alan McKinnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2013-10-18 14:38 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25 ` [gentoo-user] " Grant Edwards
2013-10-04 21:58 ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33 ` Dragostin Yanev
2013-10-11 7:18 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14 ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19 ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37 ` Michael Orlitzky
2013-10-13 20:07 ` Martin Vaeth
2013-10-13 21:45 ` William Kenworthy
2013-10-14 12:08 ` Martin Vaeth
2013-10-14 13:27 ` William Kenworthy
2013-10-13 22:02 ` Michael Orlitzky
2013-10-14 11:49 ` Martin Vaeth
2013-10-14 14:26 ` Michael Orlitzky
2013-10-14 18:49 ` Martin Vaeth
2013-10-14 19:17 ` Michael Orlitzky
2013-10-14 20:31 ` Alan McKinnon
2013-10-15 1:06 ` Michael Orlitzky
2013-10-14 18:23 ` Tanstaafl
2013-10-14 18:52 ` Martin Vaeth
2013-10-14 19:40 ` Tanstaafl
2013-10-14 20:45 ` Alan McKinnon
2013-10-16 23:21 ` Walter Dnes
2013-10-17 6:59 ` Alan McKinnon
2013-10-18 2:30 ` Walter Dnes
2013-10-18 4:44 ` Alan McKinnon
2013-10-18 10:23 ` Tanstaafl
2013-10-18 11:19 ` Alan McKinnon
2013-10-18 14:05 ` Tanstaafl
2013-10-18 14:33 ` Alan McKinnon [this message]
2013-10-14 5:54 ` [gentoo-user] " Pandu Poluan
2013-10-14 5:57 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26 ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53 ` Michael Orlitzky
2013-10-13 13:57 ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=526146AE.6000409@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox