[Labs-l] 2-factor shell auth (was:second attempt to request alternative login server)
Ryan Lane
rlane at wikimedia.org
Wed Mar 6 19:51:40 UTC 2013
On Wed, Mar 6, 2013 at 10:19 AM, Matthew Walker <mwalker at wikimedia.org>wrote:
> [removed garbage about password auth being wonderful...]
>
> I don't feel passwords are any more or less secure than keys. In some
> cases keys can be even less secure if you're doing agent forwarding.
>
> This being said -- we have two factor auth available on labsconsole; I'd
> love it if two factor auth was also enabled by request for shells. I've
> done this on personal servers of mine using google's solution [1]. I don't
> think it would be too hard to implement on labs when time is available --
> it's controlled by a file in the home directory (which might be able to be
> moved, haven't looked deeply.)
>
> [1] https://google-authenticator.googlecode.com/
>
That's not scalable, and it's insecure on untrusted systems.
There's alternative ways to set up OATH
(https://github.com/mricon/totp-cgi/for instance), but it's really
annoying for end users. I've considered this
and went as far as testing it. It really sucks having to type your token in
every single time you want to log into any instance.
OATH isn't any more secure than properly using ssh keys, anyway, since it's
two-factor when a passphrase is used on the key.
- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20130306/9f24cc8e/attachment.html>
More information about the Labs-l
mailing list