[Labs-l] 2-factor shell auth (was:second attempt to request alternative login server)

[Ryan Lane]

On Wed, Mar 6, 2013 at 3:03 PM, Matthew Walker <mwalker at wikimedia.org>wrote:

> That's not scalable, and it's insecure on untrusted systems.
>
> Good to know :) Also; fantastic link. I'll have to move my systems over.
>
> It really sucks having to type your token in every single time you want to
>> log into any instance.
>
> Yep -- unfortunately no one has come up with a good method of making
> security convenient :D
>
>
It's more than just an inconvenience thing, though. There's some security
tradeoffs, too. SSH keys are public/private key, whereas OATH is based on a
shared secret. If the centralized OATH server is compromised then all keys
are also compromised as well.

SSH keys can't be compromised in this way. They exist on the user's local
system. A user's key can be used through an agent, if the agent is
forwarded and the host is compromised (or the host is untrusted), but it
can't be outright stolen unless the attacker has access to the user's local
key. Additionally, It's possible to require every agent access to require
approval locally, which blocks agent attacks as well.

There's another major problem with two-factor auth using OATH: It requires
you to submit your password and your token. This is mostly safe in an
environment you trust. In Labs you have to assume that most instances you
are logging into aren't trusted, as we allow folks to have root. Your
password can be stolen. This is one of the reasons we disabled passwords
for sudo.

Overall, I think SSH keys are the most secure form of authentication we can
use, currently. That said, I'm quite a fan of using OATH for web
authentication, and centralizing as much web auth as possible into a single
authn/z location using OpenID/OAuth.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20130306/326704b1/attachment-0001.html>