Comments on Securing SSH On Ubuntu With WiKID Two-Factor Authentication

Securing SSH On Ubuntu With WiKID Two-Factor Authentication SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. In this document we are going to demonstrate how to combine two-factor authentication from WiKID on Ubuntu. First, we will configure a domain on the WiKID server, then add the  targeted server as network clients to the WiKID server, and finally configure the Ubuntu box via pam-radius.

2 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous

To control which users have public key authorization
    With OpenSSH 4.3p2 and above you can use the Match conditional block to define which users have public key authorization

    In sshd_config add
    Match User root
      PubkeyAuthentication no


To enforce passphrase complexity
    In sshd_config set
    UsePAM yes

    Configure pam_cracklib.so for the password complexity
     /etc/pam.d/system-auth-ac
     pam_cracklib.so try_first_pass reject_username retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
    http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html


To expire a public key
    sshd_config option RevokedKeys is a way of expiring public keys.

By: Dan

+1 Great comment! Of course you can do all that in OpenSSH Server!