[clug] SSH key and smartphone based authentication

Michael James clug3 at james.st
Thu Apr 18 22:22:56 MDT 2013

It might be time to revisit authentication
 now that smartphones are ubiquitous.

I'm looking for a system that requires 2 factors:
  1)	 something you have (access to)
	ie:  your smartphone or your computer
  2)  Something you know, i.e. a fixed password to unlock app or key.

Locked SSH keys do this from your computer already,
 you can protect access to the file containing the locked key
 and you still need to unlock it to use it.

Having public_key/private_key allows you
 to be reasonably free putting the public key on hosts,
 other users, even root users can't grab a credential
 that allows them to impersonate you.

Trick here is a distribution mechanism for keys.
Anyone played with MonkeySphere?

Or is there another mechanism where:
  1)	You define the trust relationships formally on a single (well guarded) trusted host.
  2)	A cron job generates (and re-generates after a month) the keys and installs them for you.

Back to smartphones.
I'm looking for an open source app (android/iphone) that:

  1)	Can be loaded up with keys.
  2)	Stores said keys encrypted with a fixed memorable password.
  3)	Once unlocked, uses key to generate a One Time Password.
  4)	Target host can check OTP using a public OTP-checking key.
  5)	Knowing the public OTP-checking key is not enough to generate OTPs.

First obvious candidate is Google Authenticator.
Doesn't do points 2 and 5.

  2)	The app itself doesn't lock or store its contents encrypted.
	Yes you could lock your phone, but if lost the flash can be read.

  5)	The Time (based) One Time Password standard uses symmetric keys.
	Anyone with read access to your home dir on a client host
	 can get the key to generate more passwords.
	Not a problem if the key is only installed on 1 host.
	If they have enough privilege to read it you are pwned already
	 but if the key is installed across a spectrum of hosts
	 or the home dir is NFS mounted across multiple hosts
	 then attackers can account hop across all similar hosts.

Is there anything better than Google Authenticator out there?


PS:  openSSH configuration tip

Having this setup on my desktops allows 2 levels of security.
Some hosts I can just get into automatically.
For more secure hosts or privilege escalation
 install the locked key in    ~/.ssh/authorized_keys
Automagically get prompted for the password
 when the host insists on the locked key.

michaelj>   cat ~/.ssh/config
# For openSSH install this as     ~/.ssh/config
# On more secure hosts authorize the public locked key.
# Both keys are available in SSH negotiations.
# Only get prompted for the password when needed.
Host *
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_rsa_locked

More information about the linux mailing list