Authenticating with U2F
by Sven Vermeulen, post on Mon 11 September 2017In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.
Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk
about the pam_u2f
setup are indeed correct that it is fairly simple. For completeness
sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.
Using multiple OpenSSH daemons
by Sven Vermeulen, post on Sun 06 September 2015I administer a couple of systems which provide interactive access by end users, and for this interactive access I position OpenSSH. However, I also use this for administrative access to the system, and I tend to have harder security requirements for OpenSSH than most users do.
For instance, on one system, end users with a userid + password use the sFTP server for publishing static websites. Other access is prohibited, so I really like this OpenSSH configuration to use chrooted users, internal sftp support, whereas a different OpenSSH is used for administrative access (which is only accessible by myself and some trusted parties).