Comments on Securing SSH On Ubuntu With WiKID Two-Factor Authentication
Securing SSH On Ubuntu With WiKID Two-Factor Authentication SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. In this document we are going to demonstrate how to combine two-factor authentication from WiKID on Ubuntu. First, we will configure a domain on the WiKID server, then add the targeted server as network clients to the WiKID server, and finally configure the Ubuntu box via pam-radius.
2 Comment(s)
Comments
To control which users have public key authorization
With OpenSSH 4.3p2 and above you can use the Match conditional block to define which users have public key authorization
In sshd_config add
Match User root
PubkeyAuthentication no
To enforce passphrase complexity
In sshd_config set
UsePAM yes
Configure pam_cracklib.so for the password complexity
/etc/pam.d/system-auth-ac
pam_cracklib.so try_first_pass reject_username retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html
To expire a public key
sshd_config option RevokedKeys is a way of expiring public keys.
+1 Great comment! Of course you can do all that in OpenSSH Server!