Results 1 to 10 of 10
  1. #1
    Master Untangler lszalontai's Avatar
    Join Date
    Sep 2010
    Location
    Hungary
    Posts
    123

    Default Secure SSH with Google Authenticatorís Two-Factor Authentication

    I found this article about setting up ssh access with google authenticator:

    http://www.howtogeek.com/121650/how-...ampaign=140812


    Is it something worthed to set up for my UT box, or it just gonna mess up things ?

    Thanks,
    Lůri

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    I don't think it would mess things up, but for me SSH is an emergency tool. Which means things aren't working quite right.

    Think for a moment, Untangle is your border router. Do you really want your troubleshooting tool dependent on Internet connectivity for a login? The SMS message has to be sent someway, and it's done via the Internet. If Untangle goes down and cannot access the Internet, no more SSH, even if you're local.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler lszalontai's Avatar
    Join Date
    Sep 2010
    Location
    Hungary
    Posts
    123

    Default

    I'm not thinking on SMS - btw I don't really get it why you brought this up...
    You can download a google auth app for your smartphone which generates time-specific codes for you. I use it for my google accounts as a 2nd layer of security and it works just perfect.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Neat, but I can't really imagine why unless its just for fun.

    Two factor authentication is useful when you have to deal with tons of users and have no guarantee that they're using decent passwords (ie, not the birthday of their first born, etc) or that they're careful with their RSA private key. I'm assuming thats not the case here.

    You can get security by using "real" passwords. If thats not enough you can be even more secure you can use RSA keys without modifying anything. If you truly need to be more secure than that you could add two-factor authentication, but it'd probably be easier to just disable SSH or only allow it from certain locations.

    TLDR: probably not worth the complications, unless its just for fun.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    What I read made me think the phone got the code via SMS. Are you saying it's just an APP that simulates an RFID tag?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler lszalontai's Avatar
    Join Date
    Sep 2010
    Location
    Hungary
    Posts
    123

    Default

    It has nothing to do with RFID. The app was originally made for google 2-way authetication, but being open-source it can be used for other purposes as well. It generates a numerical code which is valid for only a few seconds. If you don't the enter the code during those seconds, it won't accept it. Frankly I have no clue how it works, but it works :-)

  7. #7
    Untangle Ninja dbunyard's Avatar
    Join Date
    Nov 2008
    Location
    Westerville, Ohio, USA
    Posts
    1,051

    Default

    Think RSA token in APP form.
    Dan

    You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

  8. #8
    Master Untangler lszalontai's Avatar
    Join Date
    Sep 2010
    Location
    Hungary
    Posts
    123

    Default

    If anyone interested in details:
    http://lwn.net/Articles/470764/

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    RSA tags are a hardware device that generates a code on an interval. This code is made using an algorithm that is unique to the device in question. The service that is being authenticated against knows what this algorithm is, and as such generates the same numbers on the same interval.

    If Google is releasing code that does this, that's fine, but understand the security value of that information is nullified by the reality that ANYONE can get it. And unless you're specifying some form of seed on both the device, and the server using the device for authentication, the pattern of digits will be the same for everyone that uses the software.

    In short, it's pointless. Why bother to ask for information that anyone could get? If an attacker knows you're using this Google system, they just put the app on their smart phone and get a free answer.

    So if you do decide to do this, make sure you modify that base string, or it's quite worthless.

    P.S. Don't ask me why I said RFID before... I think the heat is getting to me.
    lszalontai likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja dbunyard's Avatar
    Join Date
    Nov 2008
    Location
    Westerville, Ohio, USA
    Posts
    1,051

    Default

    Google has been using it for a while now for Gmail and such. I actually use it on my phone for my two form-factor authentication into my Gmail account. So I have to have a username/password along with the code generated by my Android phone. Google open sourced this a little while ago to be able to provide two form-factor authentication for other sites/services. I agree though, it seems like there could be major security issues with it.
    Dan

    You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2