Re: add 2FA to ssh

To: debian-user@lists.debian.org
Subject: Re: add 2FA to ssh
From: Henning Follmann <hfollmann@itcfollmann.com>
Date: Thu, 13 Aug 2020 11:12:06 -0400
Message-id: <[🔎] 20200813151206.GA1712@typer.localnet>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] CAJmb-YkTPwpF8uGt-manvsGZ0qXUPBApoi-YWR2K6-Htc7Kisw@mail.gmail.com>
References: <[🔎] e1290a55-1da9-861e-520e-611e0095a8d5@fuckaround.org> <[🔎] 20200813114644.GG2182@typer.localnet> <[🔎] CAJmb-YkTPwpF8uGt-manvsGZ0qXUPBApoi-YWR2K6-Htc7Kisw@mail.gmail.com>

On Thu, Aug 13, 2020 at 09:39:43AM -0500, Nicholas Geovanis wrote:
> On Thu, Aug 13, 2020, 6:47 AM Henning Follmann <hfollmann@itcfollmann.com>
> wrote:
> 
> > On Thu, Aug 13, 2020 at 01:37:39PM +0200, Pòl Hallen wrote:
> > > Hi folks :)
> >
> > >
> > > what it better with 2FA: at ssh login request first 2FA authentication
> > next
> > > ssh password or viceversa?
> > >
> > > thanks!
> > >
> > > Pol
> >
> > sorry to say, but 2FA is again one of the hype things. Why do you need 2FA
> > for ssh. I mean a really good reason.
> > Maintain a good keychain and you wont need 2FA.
> >
> 
> The usual reason is an out-of-band or hardware-based one-time pad. The
> additional password is for that session only.
> 

That is not a reason. This is "how".
The "session only" I kind of get though.
But still. Currently everyone is pushing 2FA and most of the time
the implementation sucks or there is no good reason for it.
And for ssh a password protected keychain is the reasonable
way to go.

-H

-- 
Henning Follmann           | hfollmann@itcfollmann.com

Reply to:

References:
- add 2FA to ssh
  - From: Pòl Hallen <deben@fuckaround.org>
- Re: add 2FA to ssh
  - From: Henning Follmann <hfollmann@itcfollmann.com>
- Re: add 2FA to ssh
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>

Prev by Date: Re: add 2FA to ssh
Next by Date: Re: RFE: a "testcd" (a la knoppix) option for the debian DVD?
Previous by thread: Re: add 2FA to ssh
Next by thread: Re: add 2FA to ssh
Index(es):
- Date
- Thread