[clug] SSH key and smartphone based authentication
clug3 at james.st
Thu Apr 18 22:22:56 MDT 2013
It might be time to revisit authentication
now that smartphones are ubiquitous.
I'm looking for a system that requires 2 factors:
1) something you have (access to)
ie: your smartphone or your computer
2) Something you know, i.e. a fixed password to unlock app or key.
Locked SSH keys do this from your computer already,
you can protect access to the file containing the locked key
and you still need to unlock it to use it.
Having public_key/private_key allows you
to be reasonably free putting the public key on hosts,
other users, even root users can't grab a credential
that allows them to impersonate you.
Trick here is a distribution mechanism for keys.
Anyone played with MonkeySphere?
Or is there another mechanism where:
1) You define the trust relationships formally on a single (well guarded) trusted host.
2) A cron job generates (and re-generates after a month) the keys and installs them for you.
Back to smartphones.
I'm looking for an open source app (android/iphone) that:
1) Can be loaded up with keys.
2) Stores said keys encrypted with a fixed memorable password.
3) Once unlocked, uses key to generate a One Time Password.
4) Target host can check OTP using a public OTP-checking key.
5) Knowing the public OTP-checking key is not enough to generate OTPs.
First obvious candidate is Google Authenticator.
Doesn't do points 2 and 5.
2) The app itself doesn't lock or store its contents encrypted.
Yes you could lock your phone, but if lost the flash can be read.
5) The Time (based) One Time Password standard uses symmetric keys.
Anyone with read access to your home dir on a client host
can get the key to generate more passwords.
Not a problem if the key is only installed on 1 host.
If they have enough privilege to read it you are pwned already
but if the key is installed across a spectrum of hosts
or the home dir is NFS mounted across multiple hosts
then attackers can account hop across all similar hosts.
Is there anything better than Google Authenticator out there?
PS: openSSH configuration tip
Having this setup on my desktops allows 2 levels of security.
Some hosts I can just get into automatically.
For more secure hosts or privilege escalation
install the locked key in ~/.ssh/authorized_keys
Automagically get prompted for the password
when the host insists on the locked key.
michaelj> cat ~/.ssh/config
# For openSSH install this as ~/.ssh/config
# On more secure hosts authorize the public locked key.
# Both keys are available in SSH negotiations.
# Only get prompted for the password when needed.
More information about the linux