

Ask HN: Approachable solution for multi-factor SSH authentication? - api

My venture has a significant security component, and I&#x27;m looking right now into hardening remote access to core servers and infrastructure.<p>I&#x27;ve worked before in high security environments that used things like smart card (US DOD CAC) authentication, and these worked very well with ssh and ssh authentication forwarding. It was actually more user-friendly than standard SSH passphrase + key, in that you could cache the card PIN locally and then ssh around at will. It would just keep authenticating with your physical credential until the PIN cache timed out (we used 60 seconds) or you yanked your card.<p>Is there any vendor that sells a solution like this that&#x27;s &quot;hacker friendly&quot; and affordable for independent entities? I&#x27;ve done some searching and I just can&#x27;t find anything that doesn&#x27;t seem &quot;enterprisey&quot; with the standard enterprise $call for pricing, awful UX, etc.<p>I use a Mac as my primary work machine, and I&#x27;d like something that can be used for several purposes e.g. both SSH auth and file &#x2F; encrypted volume encryption, etc.<p>The poverty of good approachable solutions in this space feels almost like some kind of conspiracy given the demand that&#x27;s probably out there.
======
ProblemFactory
RFC6238 TOTP (popularized by Google Authenticator) should fit your needs well.

* It is an open algorithm based on [http://tools.ietf.org/html/rfc6238](http://tools.ietf.org/html/rfc6238)

* Both the server and client work completely offline based on a pre-shared key and current time. It does not need any third-party services, network calls, or paid plans.

* The Google Authenticator app for saving secrets and generating tokens is open-source and available on Android and iOS. It does not share the secrets or tokens with Google. Others have also published compatible apps.

* There is already a Debian/Ubuntu package for adding it to logins, including SSH logins: libpam-google-authenticator

* If that's not sufficient, then there are libraries for various languages.

* And if not, or if you want to build your own branded client, then both the server and client implementations take about 10 lines of code: [http://en.wikipedia.org/wiki/Google_Authenticator#Technical_...](http://en.wikipedia.org/wiki/Google_Authenticator#Technical_description)

------
JoachimSchipper
Aside from TOTP, as pointed out by TOTP:

\- the Yubikey is a hardware authentication token (with various modes - in
particular, the "type my password" mode can be plugged into nearly anything)

\- companies like Duo Security sell two-factor authentication

\- ssh-agent (part of OpenSSH) allows you to keep authenticating, with or
without confirmation

\- you can get a _lot_ of security from doing your web browsing and your
development/system administration on different machines

Of course, it's hard to recommend something without any details about your
situation or what you're looking for.

Also, there is no conspiracy. People just don't care that much about security.

------
wmf
This just came out: [https://www.scaleft.com/](https://www.scaleft.com/)

