Hacker News new | past | comments | ask | show | jobs | submit login

Add http://www.heiho.net/pam_shield/ and http://www.snafu.priv.at/mystuff/pam_recent.c to that list.

I use use some iptables voodoo with them to auto-whitelist on successful auth and blacklist on failed auth attempts.

Three things to note about google authenticator:

1. ssh keys bypass it unless you have a patched version of OpenSSH with multiauth

2. It can be configured to have you append your one time code to your password for interop with things that can't handle keyboard-interactive auth

3. It is self contained and doesn't use any google services to function.

With regard to #1, newer OpenSSH supports AuthenticationMethods, which lets you chain keys and PAM.

Ah, thanks. For a while you had to apply a patch to get that, I wasn't aware it'd be merged.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact