User: Password:
|
|
Subscribe / Log in / New account

Google Authenticator for multi-factor authentication

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 11:43 UTC (Thu) by drag (subscriber, #31333)
In reply to: Google Authenticator for multi-factor authentication by drag
Parent article: Google Authenticator for multi-factor authentication

ok. I think I understand now. The ~/.google-authenticator is on the server-side and is what pam uses to authenticate your user.

I thought it was part of what you needed on the client side. My mistake.

In this case it's not like kerberos tickets or private ssh key at all. It's more like the public key for SSH RSA/DSA authentication.

Even then it's not horrible or stupid, I think. It seems obvious that ~/.google-authenticator file is intended for the user to setup for themselves without administrative help in addition to passwords. So in that case it makes sense that it's in the home directory.

Is there a mode for the administrator to setup the secrets without user intervention; without the ~/.google-authenticator file?


(Log in to post comments)

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 13:12 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

Google Authenticator doesn't use public/private keys. It has a single symmetric key. Essentially there is no public key; only a private key.

So no, the problematic part is not that it's like the SSH public key. The problematic part is that it's like keeping your SSH private key lying around on the file system without a passphrase.

And yes, the patch I mention above will allow you to keep the files in a root-owned and root-only-readable location.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds