Combining two-factor authentication and SSH

Combining two-factor authentication and SSH

Summary: Secure SSH tunnels are great for encrypting traffic, and two-factor authentication is great for adding another element to authorising them. Why not combine the two?

SHARE:
TOPICS: Security, Google
3

Setting up a secure SSH tunnel for communications and using two-factor authentication where possible are two security measures that many recommend, but what about combining the two to ensure that, if a SSH certificate key is lost or stolen, no one has illegitimate access to your server?

One group that has done just that is Authy, which has developed an API that will take care of sending and verifying tokens. Installation of the additional security measure is as simple as downloading the code to interface with its API (which the company has made available on Github); installing, enabling and testing it, then restarting the SSH service — all in about five commands.

After setting it up, users will receive tokens via SMS, or by using Authy's mobile app for Android, iPhone or BlackBerry.

There are some limitations, however. Setting up the process will require an API key from Authy, which is free if users expect to make less than 1000 API calls per minute. Additionally, Authy doesn't appear to use the Time-based One-time Password (TOTP) algorithm, which means that it is incompatible with other two-factor mobile applications, such as Google Authenticator.

The truly nervous may be concerned that they have to rely on the availability and trust of a third party to manage their tokens. In this case, there are alternatives, including using Google Authenticator's pluggable authentication module. This approach, when implemented correctly, will store the user's secret for generating codes on the server and the user's device, eliminating any reliance on a third party, including Google, although it does requires a bit more work.

Topics: Security, Google

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Because SSH is not End to End encryption

    SSH provide encryption in the transport protocol it is still not good enough for application such as banking. That's where E2EE comes in.
    iamcjbon@...
    • Sure it does

      “SSH is not End to End encryption” amcjbon@...

      - Secure Shell (SSH), Encryption: Establishing an end-to-end link whose data transfers are
      encrypted,” Dr. Natarajan Meghanathan, Assistant Professor of Computer Science -

      http://www.jsums.edu/cms/tues/docs/NetworkSecurity/Module-NetworkSecurityControls.pdf

      https://security.web.cern.ch/security/recommendations/en/ssh.shtml
      RickLively
    • Re: Because SSH is not End to End encryption

      I get the feeling you work in banking...

      (RickLively is right)
      ldo17