On 23/7/24 10:16, jeremy ardley wrote:
I use Google Authenticator as an option in pam to secure ssh connections. It can be plugged into other services such as httpd and normal cli login. I expect Google authenticator also works on Windows.NB. Google Authenticator does not use any Google cloud services. It is purely a local application on your machine.
I just did a quick search about Google Authenticator vs Authy. It seems an issue is the GA phone client not having a PIN.
In my main use case of ssh connections I have multiple layers of security so having my phone compromised won't help an attacker.
Using PAM:1. I require my ssh connection to provide a certificate. I store the public key in LDAP and use only that rather than any user installed key.
2. I require the user to provide a password that can be local and/or in LDAP 3. I require the user to enter a 2FA Google Authenticator code.This can be modified in PAM so that machine accounts only need a certificate while interactive users get the full security treatment
Where the login is on a TTY, only password and Google Authenticator are required.
Where the login is https or openvpn I can require a client certificate, a password, and a 2FA code.