On 01/30/2013 09:44 AM, SilverTip257 wrote: > On Wed, Jan 30, 2013 at 8:40 AM, Nux! <nux at li.nux.ro> wrote: > >> On 28.01.2013 13:07, SilverTip257 wrote: >>> Google Auth >>> http://www.noktec.be/archives/1351 >>> >> http://zonereseau.com/en/post/two-factor-ssh-authentication-via-google-secures-linux-logins-392 >>> http://prasys.info/2012/10/two-way-authentication-for-wordpress/ >> How can one be concerned with security AND put his login at the mercy >> of google (or any other 3rd party)?? >> >> > That's a good point to question. > > I was in no way endorsing that one should use Google's Auth services. > (Just that it exists and has been written about numerous times.) > > Personally I do not use it now and would not use it for any systems that > need to be secure. Which pretty much means unless I can run the auth > daemons on a server I control, I won't be using it. > after seeing this thread, i looked at the google auth stuff since i had been using that with dropbox and happy so far with it. google is not in the auth chain at all. what they have done is take a standard algorithm for time based keys and made an android app and pam module that work together to allow for two factor auth. basically you are creating a shared secret that is combined with a timestamp and that computed value is used to confirm that the user authenticating knows that shared secret. very similar to the rsa fobs, but all done with open software. and yes, it is only as secure as your file storage is on the server being connected to because each users' shared secret is stored in their home folder. if you add the epel repo, it is available from them. tweak your ssh config to allow challenge/response and pam to require google auth and then each user creates their own secret. because of how ssh works, this only happens if you don't have a keypair in place, so it lets you fall back to password combined with the auth token.