I have a
couple of servers that I ssh into from different locations, I don't always have my ssh keys.
I have come up with what I think is a fairly secure 2fa using ssh and bash. RSVP if you see a flaw in this.
Server's
/home/myuser/.profile has
if [ "$PASSWORD" != longanddifficulttotypepassword ]
then
exit 0
fi
Server's
/etc/ssh/sshd_config forces use of a bash login shell
Match User myuser
ForceCommand /bin/bash -l
and allows sending environment variables
AcceptEnv LANG LC_* PASSWORD
When I login I supply PASSWORD as an environment variable, e.g. in
~/.ssh/config containing...
Host home
User myuser
SetEnv PASSWORD=longanddifficulttotypepassword
As long as I can remember my long and short passwords when I travel, I can login without SSH keys.
All I have to type to login is
ssh home and my short password.
I'd like to build this feature into PAM but I've not yet found a way to pass a second token without user input.
If a hacker knows you are doing these things, the security weakens but it does not disappear.
Telling everybody that your logins support
!@#$%^&*()_+ in usernames makes dictionary attacks harder, even if you don't use those characters.
Of course simple 2fa should not replace a functioning first layer.
- Don't use very weak passwords.
PermitRootLogin prohibit-passwordAllowUsers ...- Don't run ssh on port 22.
In your local
/etc/ssh/ssh_config you probably want to ensure you dont accidentally send an env variable to a server that isn't your own
Host onlymyserver
SendEnv LANG LC_* PASSWORD
No comments:
Post a Comment