On 23/7/24 10:16, jeremy ardley wrote:
I use Google Authenticator as an option in pam to secure ssh connections.
It can be plugged into other services such as httpd and normal cli login.
I expect Google authenticator also works on Windows.
NB. Google Authenticator does not use any Google cloud services. It is
purely a local application on your machine.
I just did a quick search about Google Authenticator vs Authy. It seems
an issue is the GA phone client not having a PIN.
In my main use case of ssh connections I have multiple layers of
security so having my phone compromised won't help an attacker.
Using PAM:
1. I require my ssh connection to provide a certificate. I store the
public key in LDAP and use only that rather than any user installed key.
2. I require the user to provide a password that can be local and/or in LDAP
3. I require the user to enter a 2FA Google Authenticator code.
This can be modified in PAM so that machine accounts only need a
certificate while interactive users get the full security treatment
Where the login is on a TTY, only password and Google Authenticator are
required.
Where the login is https or openvpn I can require a client certificate,
a password, and a 2FA code.
