14 comments

[ 3.8 ms ] story [ 32.8 ms ] thread
I'd be interested to hear how people on HN currently secure their SSH sessions with two-factor authentication.
Duo: https://duo.com

Super easy to setup and use. About $1/user/month, so fairly cheap.

Does it allow to do "nested" logins? E.g., first login from machine A to machine B, then login from machine B to machine C, while the security token is on machine A?
Google 2fa is easy to set up as a PAM module.
The difficult question regarding two factor authentication is "what do you do if you lose the second factor?"

The answer to that question can often range all the way from "your account is lost forever" to "you have to go through a whirlwind of bureaucratic pain" to "the alternative method of entry is easy, hassle free, and how your account will end up compromised."

Yubico's answer to this is to own & register two of them against the account/software they are being used as the 2nd factor for. Some accounts also offer something short of the whirlwind but not as socially engineerable as the obvious easy, hassle free methods - for example Google issues backup codes for signing into the account when you lose all your means of 2FA.
Out of curiosity, do you actually have your backup codes somewhere? I know I did at some point, but the things you don't use, you lose...
Plugging a device into a USB port was the method by which Stuxnet was deployed.
New MBP laptops have no compatible USB slots

Another dongle