Is there anything google gets out of this? eg is there a potential for a back door? Session stealing? I understand the real enhancement inherent in a two-factor auth, but this particular third party automatically raises doubts.
Something tells me to beware any "help" from google. I'll keep using my ssh keys...
Discussion on:
View:
Show:
Yes, you can keep your SSH keys. It's a second factor, so you need this + your SSH keys. As long as you don't give them to Google, or leave them unencrypted, you'll be more secure with Google 2Factor.
"PIN" is an acronym. The third letter of "PIN" stands for "number". Saying "PIN number" is the same as saying "personal identification number number".
tittle says it all...
I'd like to use it to protect my netbook/laptop a little more; being able to add this on my normal logon screen would help
(I know... format & you're good to go; but would protect from password-peeking by co-students)
edit: also, if someone knows how to implement this on RDP to win server 2008; would help me aswell
I'd like to use it to protect my netbook/laptop a little more; being able to add this on my normal logon screen would help
(I know... format & you're good to go; but would protect from password-peeking by co-students)
edit: also, if someone knows how to implement this on RDP to win server 2008; would help me aswell
At least for my servers. My phone though is another story. Although I have to admit I do not use my phone for doing online transactions or even checking bank accounts or something else. Smartphone security is still in an infant stage imho.
pace
pace
http://blog.absolute.com/rsa-securid-compromise-in-detail/
I'll stick with certificates and a PKI infrastructure I maintain. Outsource your security and you're outsourcing the control of your network.
I'll stick with certificates and a PKI infrastructure I maintain. Outsource your security and you're outsourcing the control of your network.
Google collects too ... dern...much information alreayd. I won't give them my phone number - and I certainly don't want them anywhere near my servers let alone my secure logons. You want security you go to security specialists - you want groceries, try the local market.
Do you have an alternative in mind? Google provides fast, reliable two-factor authentication in source code form. Seems ideal to me. As for information collection... I don't think your one-time keys are terribly interesting to Google. The reason they're providing this for free is to improve the overall security of the Web. If you think about it from their perspective, being the dominant search and advertising player on the Web puts Google in an interesting spot. Any change that they make that increases reliability and security of the Web is likely to increase use, and increased use translates to increase user-base for Google search and advertising.
It's actually in their best interests to make the Web faster, more reliable and more secure. That's why you see efforts like this, GWT and their Webmaster tools.
It's actually in their best interests to make the Web faster, more reliable and more secure. That's why you see efforts like this, GWT and their Webmaster tools.
apparently the makefile only tests for /usr/lib/libdl.so so it can't find the functions in that library on 64bit installations (/usr/lib64/libdl.so). the build itself works fine if you do it manually (add -ldl)... or fix the makefile.
There are a few more permutations (e.g. lib32 on Ubuntu). I posted to the issue tracker a patch that addresses a wider array of platforms:
http://code.google.com/p/google-authenticator/issues/detail?id=77&q=makefile
http://code.google.com/p/google-authenticator/issues/detail?id=77&q=makefile
As an OpenSSH author (see the ssh manpage I'm somewhat biased, but encourage folks to check out Duo Security instead:
http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/
It's much easier:
- Phone call, SMS, smartphone push, in addition to free mobile apps on 7 platforms
- Self-service enrollment with no command-line tools to run or accounts to set up
More flexible:
- Also works to protect SSH pubkey authenticaiton, which PAM modules cannot - and doesn't even require restarting sshd!
Not just for Linux:
- Protect your Solaris, MacOS X, *BSD, etc. boxes; Cisco, Juniper, etc. VPNs, web applications, etc.
- All open source code at https://github.com/duosecurity
And free for up to 10 users. It is our way of giving back to the security and systems communities we've been part of for decades.
I'm somewhat biased, but encourage folks to check out Duo Security instead:http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/
It's much easier:
- Phone call, SMS, smartphone push, in addition to free mobile apps on 7 platforms
- Self-service enrollment with no command-line tools to run or accounts to set up
More flexible:
- Also works to protect SSH pubkey authenticaiton, which PAM modules cannot - and doesn't even require restarting sshd!
Not just for Linux:
- Protect your Solaris, MacOS X, *BSD, etc. boxes; Cisco, Juniper, etc. VPNs, web applications, etc.
- All open source code at https://github.com/duosecurity
And free for up to 10 users. It is our way of giving back to the security and systems communities we've been part of for decades.
I'll take this opportunity to thank one of the generous, capable developers of by far my favorite software of any kind. A big "THANK YOU," may wealth, health and happiness litter your path!
I couldn't live without OpenSSH, it's far too useful to enumerate the benefits here...
And given all that, you bet I'll check out duo. Thanks for the tip... =)
I couldn't live without OpenSSH, it's far too useful to enumerate the benefits here...
And given all that, you bet I'll check out duo. Thanks for the tip... =)
Duo Security is great and free for small setups. The one major limitation right now on the iOS app is that it only supports push and code generation when linked with one site or "integration" as they call it. To change it to another one you have to delete the app, reinstall and re-integrate it with your account, unlike Google which allows multiple codes in one app. They've indicated this is a feature that they are working on, and phone/sms auth still works but multi-site push notifications would be very nice to have. The push notifications are quite fast and easy to do.
Just a tip, you may run into SELinux problems on RHEL 6.x.
If you set up GA with the example in the README file
Using a local path for home directorys with .google-authenticator files.
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google-authenticator
You may get problems with SELinux, sshd will not be able to update the files in /var/unencrypted-home.....
This can be solved by changing the SELinux type of the directory:
#semanage fcontext -a -t ssh_home_t '/var/unencrypted-home(/.*)?'
And then to a relable after changes:
#restorecon -Rv /var/unencrypted-home
Espen
If you set up GA with the example in the README file
Using a local path for home directorys with .google-authenticator files.
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google-authenticator
You may get problems with SELinux, sshd will not be able to update the files in /var/unencrypted-home.....
This can be solved by changing the SELinux type of the directory:
#semanage fcontext -a -t ssh_home_t '/var/unencrypted-home(/.*)?'
And then to a relable after changes:
#restorecon -Rv /var/unencrypted-home
Espen
You should, if you have not already, open a ticket in the issue tracker for this:
http://code.google.com/p/google-authenticator/issues/list
http://code.google.com/p/google-authenticator/issues/list
MySpace's biggest failure is design. Visually, it's horrific at worst and unappealing at best. The decision to allow non-designers (i.e. users) to add style sheets and animated images to their pages is what lost me. Half the time i couldn't read a users post because they'd have white text on an animating gray background. It's basically a bad version of 100,000 GeoCities / AOL hometown sites all tied up together. fap turbo
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
