SSH and Two-Factor Auth
If you’re running an SSH server, and are security conscious, then utilizing two-factor authentication is a good idea. Two-factor auth generally means using something you know (like a password) and something you have (like a cell phone, one time password token, etc).
I use Arch Linux and was recently looking for viable solutions.
This is an app for your phone that generates one-time passwords (OTP). It can use either counter-based OTPs (using HOTP) or time-based OTPs (using TOTP). Its primary purpose is to provide two-factor auth for your Google/Gmail account. However, Google has also put out a PAM module that can be used with OpenSSH.
If you’ve ever used something like RSA SecurID then this will be very familiar to you. After typing in your username and password, you’ll be prompted to type in the OTP your phone is currently showing.
One known issue with OpenSSH is that PAM is bypassed if you’re using a public/private keypair to authenticate. One possible solution is outlined here.
Duo Security offers two-factor authentication with a software-as-a-service model. Fortunately, it’s free for personal use if you use their mobile app. If you use their mobile app then you’ll get a push notification to your phone, and the opportunity to tap an approve or deny button.
You can also choose to authenticate via callback or SMS. These require telephony credits that cost money. You do get 1000 of these for free, however, with a personal account.
Duo Unix comes with both a PAM module and a login utility that can be used when authenticating via public/private keypair.
Other possible solutions
I haven’t tried any of these, but thought I’d include them for completeness.
- Here’s a wiki page explaining how to use this via OPIE in Arch Linux.
- GRC’s Perfect Paper Passwords
- Here’s a wiki page explaining how to use this in Arch Linux.
- There’s a package for Arch Linux available here.
- It doesn’t look like this is currently available in Arch Linux.
More possible solutions I haven’t tried (April 1, 2012 update)
There’s a number of PAM modules that integrate with Mobile-OTP. While browsing through the different solutions, I saw that RCDevs have a PAM module for tiqr. TiQR is fairly unique because it involves scanning QR codes as an auth factor.