[CentOS] 2way authentication for SSH?

Tue Feb 5 23:22:10 UTC 2013
Joe Pruett <joey at q7.com>

On 01/30/2013 09:44 AM, SilverTip257 wrote:
> On Wed, Jan 30, 2013 at 8:40 AM, Nux! <nux at li.nux.ro> wrote:
>
>> On 28.01.2013 13:07, SilverTip257 wrote:
>>> Google Auth
>>> http://www.noktec.be/archives/1351
>>>
>> http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392
>>> http://prasys.info/2012/10/two-way-authentication-for-wordpress/
>> How can one be concerned with security AND put his login at the mercy
>> of google (or any other 3rd party)??
>>
>>
> That's a good point to question.
>
> I was in no way endorsing that one should use Google's Auth services.
> (Just that it exists and has been written about numerous times.)
>
> Personally I do not use it now and would not use it for any systems that
> need to be secure.  Which pretty much means unless I can run the auth
> daemons on a server I control, I won't be using it.
>

after seeing this thread, i looked at the google auth stuff since i had
been using that with dropbox and happy so far with it.

google is not in the auth chain at all. what they have done is take a
standard algorithm for time based keys and made an android app and pam
module that work together to allow for two factor auth. basically you
are creating a shared secret that is combined with a timestamp and that
computed value is used to confirm that the user authenticating knows
that shared secret. very similar to the rsa fobs, but all done with open
software. and yes, it is only as secure as your file storage is on the
server being connected to because each users' shared secret is stored in
their home folder. if you add the epel repo, it is available from them.
tweak your ssh config to allow challenge/response and pam to require
google auth and then each user creates their own secret. because of how
ssh works, this only happens if you don't have a keypair in place, so it
lets you fall back to password combined with the auth token.