2-Factor Authentication

Registered by Kees Cook on 2011-05-02

Discuss how to implement sensible and friendly two-factor authentication into Ubuntu.

Blueprint information

Jamie Strandboge
Kees Cook
Marc Deslauriers
Series goal:
Accepted for oneiric
Milestone target:
milestone icon ubuntu-11.10
Started by
Jamie Strandboge on 2011-07-15

Related branches



NOTE: Adjusted to mdeslaur as the assignee since Kees left and the reports are not correct.

Work items:
[mdeslaur] Create a test PAM module that exercises unusual interactions (PIN, challenge-response): DONE
[mdeslaur] Document recommended 2-factor mechanism: POSTPONED
[kees] examine available hardware tokens and find something sufficiently cheap to recommend: POSTPONED

 * duo-unix package example (relies on the duo-security company's infrastructure)
 * other alternatives
 * invite server and anyone else who might be interested
 * is there anything we can get going in time for 12.04?

FYI in re alternatives: We have released .debs for the WiKID Strong Authentication server. The open-source server and software token clients are on sf.net: http://sourceforge.net/projects/wikid-twofactor/files/. Install docs are here: http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/How_to_install_the_WiKID_debs_on_Ubuntu. No outside infrastructure required, keys are generated on device by the token, so no shared secrets either.

From etherpad (http://summit.ubuntu.com/uds-o/meeting/security-o-tracking/):
- pam modules people are actually using
 - pam radius
 - opensc
 - pam sekrit googleness
 - opie
 - some people also use hardware tokens with external sites (bank, WoW)
 - yubikey
- future pam work
 - opencryptoki (pkcs11 aka smartcard library for TPM), possibly doable via OpenSC PAM module http://www.opensc-project.org/pam_pkcs11/
server seems viable - ssh in particular - desktop is not now
- demo of duo-unix
 - ta-da
- current caveats
 - gnome-screensaver doesn't have a helper running as root, can't access global tokens
  - (pam_unix does, which is why we can verify passwords at all)
 - PolKit knows to prompt (only shows first line), but doesn't accept token (specific to duo-unix?)
 - gdm works
 - gksu probably can't work with current design
 - network manager may not provide prompting on 2-factory VPN (vpnc works)
General discussion
Isn't well tested, how to move forward?
Have 2-factor system to demo
PolKit prompting works better than other pieces, but lots of pieces don't work
pam-auth-update means that installing pam-* packages can automatically enable the modules
How do we fix?
 - [mdeslaur/kees] Create a test PAM module that exercises unusual interactions (PIN, challenge-response)
 - [mdeslaur/kees] Document recommended 2-factor mechanism
 - [kees] examine available hardware tokens and find something sufficiently cheap to recommend
2 separate issues:
 - software functionality
 - hardware/token/algo availability to the masses
How to add two-factor authentication to Ubuntu using pam-radius: http://www.howtoforge.net/securing-ssh-on-ubuntu-with-wikid-two-factor-authentication


Work Items