krypton-ios VS google-authenticator-libpam

I used this when it was still Krypton [0], it worked very well, it just gives you a "Want to log in?" notification on your phone, but for almost anything imaginable (inc SSH). I don't see it used much though.

[0] https://krypt.co/

Using your SIM card for MFA when logging in to an SSH server (through paid API requests to a third party)

There are ways to use your phone's secure storage capabilities for key storage. I've dabbled with using Krypt.co [1] for this, though that's sadly been deprecated and will at some point be replaced by a paid-for cloud service from Akamai. I'm sure there are other options available as well.

A far superior method for SSH security would be a physical U2F key or even a smart card. It's also possible to set up TOTP as a second factor ([2], works with any TOTP solution, not just Google Authenticator). I don't see a need for this paid-for third party service unless you're already using their services for some kind of verification mechanism.

[1]: https://krypt.co/

[2]: https://github.com/google/google-authenticator-libpam

Krypton (https://krypt.co), now owned by Akamai (https://akamai.com/mfa) who removed one of the best features, IMO (SSH key on a phone...) does this to an extent... Akamai says it's FIDO2... have not used it in a while... It is free though until Akamai decides not to give it away...

Here's the announcement on the website of the FIDO alliance: https://fidoalliance.org/apple-google-and-microsoft-commit-t...

I hope this cross device system will be cross platform, but I wouldn't be surprised if you could only choose between macOS/iOS, Chrome/Chrome, or Edge/Edge sync.

Funnily enough, a system for signing web authentication requests from a mobile device is far from new: I've been using https://krypt.co/ for years (though it's on the long road of sunsetting right now) and I hope that will last long enough for the new cross device standard to replace it.

> For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.

What about https://www.yubico.com/products/yubikey-5-overview/ or https://cloud.google.com/titan-security-key/ or https://krypt.co/ (before it was acquired, I still use it though) or any of it's equivalents?

NOTE: Sometimes, if you are using a key-manager like Krypt.co you will not have the typical .pub file to copy, in which case using ssh-copy-id -f option will force it to copy anything close to a public key and this works for me.

Krypton is a great little multi-factor authentication tool that stores your SSH and U2F keys on your phone and provides an SSH agent and a browser extension that send approval requests to your phone when those keys are invoked. Ie., you ssh into your server and a notification pops up on your phone asking you if it's okay. It also handily GPG-signs your Git commits.

Here's the URL, since finding it via search is hard: https://krypt.co/

check this https://krypt.co/

Trusting your HSM vendor is a requirement if you don't want your keys to be exportable, and there's much less risk in doing so compared to trusting Apple for other things like secure communications (iMessage is e2ee but doesn't tell you when your peer changes/adds keys and backups to iCloud by default).

Also, a lot of people who use Krypton don't know that SSH keys actually don't use the secure enclave because it doesn't support rsa or ed25519: https://github.com/kryptco/krypton-ios/issues/73#issuecommen...

Especially that nowadays password authentication may fade away soon.

Windows already supports password-less authentication quite well. It's just a matter of time until there are good solutions for Linux too.

I have already some systems set up in a way that they ask for a TOTP when doing username/password login via SSH: https://github.com/google/google-authenticator-libpam

We also found out that Tailscale SSH, unlike e.g Cloudflare Zero, does not seem to work with google-authenticator PAM module which could be a workaround. Please correct me if I am wrong here.

(Don't worry it has nothing really to do with Google other than the fact that they wrote and open sourced the 2FA library: https://github.com/google/google-authenticator-libpam ) All logic is done locally on the server you install the pam module on, it generates a QR which you can scan and then stores the secret information in a config file in your user profile.

Out of the box, this is arguably less secure than most other remote access solutions. With OpenVPN, as well as the certificate's private key, you would usually require user credentials or a TOTP. With SSH, usually you would password-encrypt your key file, and there is the popular Google Authenticator 2FA PAM module to add TOTP support.

Using your SIM card for MFA when logging in to an SSH server (through paid API requests to a third party)

There are ways to use your phone's secure storage capabilities for key storage. I've dabbled with using Krypt.co [1] for this, though that's sadly been deprecated and will at some point be replaced by a paid-for cloud service from Akamai. I'm sure there are other options available as well.

A far superior method for SSH security would be a physical U2F key or even a smart card. It's also possible to set up TOTP as a second factor ([2], works with any TOTP solution, not just Google Authenticator). I don't see a need for this paid-for third party service unless you're already using their services for some kind of verification mechanism.

[1]: https://krypt.co/

[2]: https://github.com/google/google-authenticator-libpam

dont think you can since the passphrase is client side. you could require mfa on top of the login via sshkey. eg. https://github.com/google/google-authenticator-libpam

Have a look at https://github.com/google/google-authenticator-libpam

The google-authenticator module has many options you can set which are documented here. In the interest of saving time, we are going to use some sane defaults in this example: disallow reuse of the same token twice, issue time-based rather than counter-based codes, and limit the user to a maximum of three logins every 30 seconds. To set up Google 2-factor authentication with these settings, a user should run this command:

Install Active Directory servers, one for each site. Both need to be DNS servers and Global Catalogs.Add users to be authenticated as normal, the users PIN will be their domain password.(You can skip the above), just use your existing users.Install Centos 7 Use static IP address(es) and point the DNS to the domain controller(s) Configure the hostname and FQDN to an appropriate value. Note this will be visible in Google Authenticator.Patch the OS yum -y updateStop and disble SELinux and the firewall systemctl stop firewalld.service systemctl disable firewalld.service vi /etc/selinux/config Change SELINUX=enforcing to SELINUX=disabled Save and exit then reboot.Install and configure FreeRADIUS yum -y install freeradius freeradius-utils vi /etc/raddb/radiusd.conf Change #user = radiusd to user = root Change #group = radiusd to group = root vi /etc/raddb/sites-enabled/default Change # pam to pam ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam vi /etc/raddb/clients.conf - The client IP and/or subnet need to match where the requests are coming from Add to the end client 192.168.0.0 { ipaddr = 192.168.0.0/24 secret = password - Whatever secret you configure here must match where the requests are coming from require_message_authenticator = no nas_type = other } vi /etc/raddb/users Change #DEFAULT Group == "disabled",Auth-Type:=Reject # Reply-Message = "Your account has been disabled." to DEFAULT Group == "disabled",Auth-Type:=Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAMInstall and configure SSSD yum -y install sssd realmd adcli yum -y install oddjob oddjob-mkhomedir sssd samba-common-tools realm join gatest.local - This is the domain name that holds the accounts for Google Authenticator vi /etc/sssd/sssd.conf Change use_fully_qualified_name = True to use_fully_qualified_name = False chmod 400 /etc/sssd/sssd.confInstall and configure Google Authenticator yum -y install pam-devel make gcc-c++ git yum -y install automake autoconf libtool cd ~ git clone https://github.com/google/google-authenticator-libpam.git cd ~/google-authenticator-libpam/ ./bootstrap.sh ./configure make make installConfigure PAM vi /etc/pam.d/radiusd Comment out the existing entries and then add the following at the end auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass auth required pam_sss.so use_first_pass account required pam_nologin.so account include password-auth session include password-authEnable FreeRADIUS Service systemctl enable radiusd systemctl start radiusdInstall google authenticator yum install google-authenticatorSetup Google Authenticator for a user su - username - This is the user account created in Active Directory cd ~ - Make certain you're now in their /home/username directory google-authenticator - Answer the following questions with Y, Y (take a screenshot of the QR code), -1, Y, N, Y The user should now be able to authenticate using their domain name as the account name, their domain password as their PIN and their token code.

For QR codes in particular, pam_google_authenticator does this.