Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Software] MFA/OTP Authentication when Logging in via SSH

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
amritarha
Posts: 9
Joined: 2021-10-13 15:38

[Software] MFA/OTP Authentication when Logging in via SSH

#1 Post by amritarha »

Greetings,

We are attempting to follow federal regulation for logging into our Debian Bullseye servers via SSH. One of the requirements is that multi-factor authentication (MFA) is enabled.

This is the federal wording that defines MFA:

Code: Select all

(k) Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors:  
(1) Knowledge factors, such as a password;  
(2) Possession factors, such as a token; or  
(3) Inherence factors, such as biometric characteristics.  
Would encrypted SSH Key authentication be considered MFA according to this?

Would I need to implement google-authenticator OTP logins to satisfy this?

Has anyone had an experience with setting up any kind of MFA for debian? We have fingerprint readers and USB tokens but I'm not aware of an implementation for it.

User avatar
kent_dorfman766
Posts: 535
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 57 times
Been thanked: 70 times

Re: [Software] MFA/OTP Authentication when Logging in via SSH

#2 Post by kent_dorfman766 »

The combination of password and public/private key pairs meets the defintions above. My interpretation of the above is that items one and two are satisfied by password/identity-key combinations.

lindi
Debian Developer
Debian Developer
Posts: 412
Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 77 times

Re: [Software] MFA/OTP Authentication when Logging in via SSH

#3 Post by lindi »

amritarha wrote: 2023-05-23 20:31 Greetings,

We are attempting to follow federal regulation for logging into our Debian Bullseye servers via SSH. One of the requirements is that multi-factor authentication (MFA) is enabled.

This is the federal wording that defines MFA:

Code: Select all

(k) Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors:  
(1) Knowledge factors, such as a password;  
(2) Possession factors, such as a token; or  
(3) Inherence factors, such as biometric characteristics.  
Would encrypted SSH Key authentication be considered MFA according to this?
I don't think so. You can easily make copies of your ssh private key so it is not a possession factor.

User avatar
kent_dorfman766
Posts: 535
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 57 times
Been thanked: 70 times

Re: [Software] MFA/OTP Authentication when Logging in via SSH

#4 Post by kent_dorfman766 »

I don't think so. You can easily make copies of your ssh private key so it is not a possession factor.
I would consider it valid since it is part of a key pair where the target must have and trust your public key part. As long as it also requires a password then why would that not be "2fa" by definition?

Actually, my own digging on the net leaves this issue as a "depends who you want to believe". Some entities are enamored with biometrics or using SMS/cellphone channels for part of the authentication so they completely ignore the password/key mechanism of ssh.

If in fact the guvt spec is stated exactly as the author portrays then I would vigoursly defend password/key as being a valid solution.

amritarha
Posts: 9
Joined: 2021-10-13 15:38

Re: [Software] MFA/OTP Authentication when Logging in via SSH

#5 Post by amritarha »

kent_dorfman766 wrote: 2023-05-23 22:41
I don't think so. You can easily make copies of your ssh private key so it is not a possession factor.
I would consider it valid since it is part of a key pair where the target must have and trust your public key part. As long as it also requires a password then why would that not be "2fa" by definition?

Actually, my own digging on the net leaves this issue as a "depends who you want to believe". Some entities are enamored with biometrics or using SMS/cellphone channels for part of the authentication so they completely ignore the password/key mechanism of ssh.

If in fact the guvt spec is stated exactly as the author portrays then I would vigoursly defend password/key as being a valid solution.
This was the same conclusion I have found from my own research. There is debate amongst my peers on this issue as well.

I have implemented the google-authenticator plugin just in case, but the method being pushed is forcing us to use windows authenticator to get into a windows server and then SSH in from there.

However this seems to be a poor solution from my perspective as it requires creating another VM and interrupts workflow for users that code in our development environment over WinSCP use their IDE.

The google-authenticator plugin presents it's own challenges as well for deployment for a large number of users.

I have a meeting on this issue in 20 minutes. I will update how it goes.

amritarha
Posts: 9
Joined: 2021-10-13 15:38

Re: [Software] MFA/OTP Authentication when Logging in via SSH

#6 Post by amritarha »

Got off the meeting and I was unable to get the others to agree that encrypted keys are valid MFA. Their argument was that the key could be easily copied or theoretically be something you know.

However they agreed the google-authenticator method was valid and should work.

Personally the only issue I have with encrypted SSH key as MFA is that the two factors are not enforceable from the server side. I could generate a non-encrypted key to authenticate and the server would not know.

I am moving forward with the google-authenticator method even though it's a bit more of a hassle, but at least I am not forced to RDP into a windows server to connect.

Post Reply