LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-15-2010, 04:31 AM   #1
HarveyPwca
LQ Newbie
 
Registered: May 2009
Posts: 3

Rep: Reputation: -4
Which distributions have true multi factor authentication?


The distribution I've been using does not have a proper two-factor login scheme. The daft buggers have configured the system so that whomever is sitting in front of a machine is gifted with the entire list of user names having access to the system. This, of course, only requires them to guess only one of the factors instead of both. So while said system is still a two-factor system it's one whose security has been crippled down to a single-factor system.

Does anyone know which distributions have proper two-factor authentication schemes for logging in users?

-----p.s.
No, I will not name the distribution I'm using so that a 'fix' can be provided. If the distributions creators have been willing to knowingly bugger the security of the system for the sake of user laziness at the login then heaven only knows what other holes exist. I have neither the time nor the inclination to discover or ask what they might be and how to 'fix' them as well. Better to simply move on to a distribution who won't knowlingly bugger the security.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-15-2010, 04:49 AM   #2
carbonfiber
Member
 
Registered: Sep 2009
Location: Sparta
Posts: 237

Rep: Reputation: 46
You realize that this is most likely just the default way your display manager is set up and that you can most likely very easily 'fix' this? Could it be that the distribution in question is Fedora? Also, don't want your users to get lazy? Disable the DM altogether and let them log in at one of the virtual consoles, start their favorite WM/DE manually, etc. Try OpenBSD, they claim to be secure by default, which seems to be what you are looking for.
 
Old 02-15-2010, 05:30 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by HarveyPwca View Post
The distribution I've been using does not have a proper two-factor login scheme. The daft buggers have configured the system so that whomever is sitting in front of a machine is gifted with the entire list of user names having access to the system. This, of course, only requires them to guess only one of the factors instead of both. So while said system is still a two-factor system it's one whose security has been crippled down to a single-factor system.

Does anyone know which distributions have proper two-factor authentication schemes for logging in users?

-----p.s.
No, I will not name the distribution I'm using so that a 'fix' can be provided. If the distributions creators have been willing to knowingly bugger the security of the system for the sake of user laziness at the login then heaven only knows what other holes exist. I have neither the time nor the inclination to discover or ask what they might be and how to 'fix' them as well. Better to simply move on to a distribution who won't knowlingly bugger the security.
It would be ridiculous IMHO to switch distro for something like this, instead of simply making the appropriate configuration tweak and perhaps filing a feature request (or bug report if you feel so strongly about it). That said, your idea of what constitutes "proper" two-factor authentication seems a bit off to me. Even when you get rid of the list of usernames, it's still not going to be two-factor authentication, since you're still using the same factor (something you know). For two-factor authentication, you'd need to supplement the password requirement with, for example, biometrics (something you are) or smart cards (something you have). Keeping your username private doesn't add a factor, it just augments your current, single factor.

Last edited by win32sux; 02-15-2010 at 05:45 AM.
 
Old 02-16-2010, 02:21 AM   #4
HarveyPwca
LQ Newbie
 
Registered: May 2009
Posts: 3

Original Poster
Rep: Reputation: -4
Trolls reframe the question.
Trolls argue symantics.
Trolls don't help others accomplish something but instead expect others to do it the troll's way.

RTFQ and ATFQ is what non-trolls do.
 
0 members found this post helpful.
Old 02-16-2010, 02:27 AM   #5
carbonfiber
Member
 
Registered: Sep 2009
Location: Sparta
Posts: 237

Rep: Reputation: 46
OMG! A troll-moderator? We are all doomed! :-/
 
Old 02-16-2010, 02:46 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by HarveyPwca View Post
Trolls reframe the question.
Trolls argue symantics.
Trolls don't help others accomplish something but instead expect others to do it the troll's way.

RTFQ and ATFQ is what non-trolls do.
HarveyPwca, I'm gonna have to ask you to tone it down a notch. Next time you feel like attacking someone, please take a few moments to chill out or just refrain from posting - for your own good. If you wish to continue being rude on the forums, by all means go right ahead, but understand that there will be consequences (which may include loss of LQ privileges). This is an official public warning to you, which has been logged.

As for your question, the answer is that any distro can be made to do multi-factor authentication. Your post, however, talks about two completely different things. One is your issue with the usernames being displayed at login time (which I believe is your main concern here), while the other issue is the question posed in the thread's title, which as I explained in my previous post is not directly related to the username list. This isn't about semantics, it's about understanding what something is, and what it's not. In a forum such as this, it would be extremely irresponsible for me to not provide some guidance when someone erroneously refers to username/password combinations as "two-factor authentication".

At this point, I would ask that you clarify whether you are seeking help getting your login manager to stop displaying the username list; seeking a distro that doesn't display the username list by default (eliminating the need for you to personalize your login manager's settings); or seeking a distro that does multi-factor authentication out-of-the-box (since it should be fairly obvious that any distro could be made to do it post-install). Once our members have no doubts about what specific direction you're determined to take, they will be better able to provide you with their assistance.

Last edited by win32sux; 02-16-2010 at 03:18 AM.
 
Old 02-16-2010, 08:37 AM   #7
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
Originally Posted by HarveyPwca View Post
Does anyone know which distributions have proper two-factor authentication schemes for logging in users?
Here's some sources that might help you...from a free open-source solution with a hardware key to server-based solutions to UNIX...one of these should point you in the right direction.

Tighter SSH Security with Two-Factor Authentication
Dec 01, 2006 By Paul Sery
http://www.linuxjournal.com/article/8957
This article describes how to combine removable media with OpenSSH public/private keys and the amazing ssh-agent program to achieve two-factor authentication for both regular and privileged users.


Open Source Two-factor authentication: The WiKID Community Edition
http://www.wikidsystems.com/community-version
The WiKID Strong Authentication System consists of three parts: the WiKID server, the WiKID token client and a network client (such as a VPN, website or other service requesting authentication). The WiKID server is written in Java, as is the open source J2SE PC client.


Two-Factor Authentication: Can You Choose the Right One?
http://www.sans.org/reading_room/whi...ight_one_33093
This paper will serve as a great beginning stepping stone for those who have chosen to adopt this type of authentication. It can be extremely expensive to change course after choosing a company/technology; therefore, the thorough evaluation of available products is of paramount importance. This paper will conclude with recommendations, a comparison of benefits and negatives regarding each inquiry, and proposals.


Multi-security mechanisms with multifactor authentications
http://www.ibm.com/developerworks/ai...P=grsitelnxw16
Authentication is a the key component of security-based solutions. In client-server models designed over UNIX® systems, distributed network security is of significant importance. In order to meet the stringent security requirements necessary in client-server models, either multi-layer authentication or multifactor authentication or combinations of both are being used by existing systems. This article discusses the risk associated with the use of the same security mechanism in multifactor authentication systems and proposes the use of GSS-API ( Generic Security Service available with most of the UNIX systems) as a suitable option for achieving the multi-security mechanism clubbed with multi-factor authentication for enhanced security for solutions designed over UNIX.
 
2 members found this post helpful.
Old 02-17-2010, 12:24 AM   #8
HarveyPwca
LQ Newbie
 
Registered: May 2009
Posts: 3

Original Poster
Rep: Reputation: -4
I have found one possible answer to my question. It seems that Debian v5.04 does not present a user list to anyone when they attempt to login. So, for now at least, I will use it and keep searching to see what other distributions are similar in this regard.



Did I phrase the subject line of the thread badly? Sure. It happens frequently and not just among the newbie types.

Did I, in describing my concern, misuse the common understanding of certain phrases like "multi-factor authentication" and "two-factor authentication"? Certainly. Again, this sort of thing happens frequently and not just among the newbie types.

However these errors on my part in no way gives those who do know the common meaning the right to ignore the question being asked altogether opting instead to blather on about how the original poster messed things up. Trolls argue about the minutea instead of answering the question.

Now to be fair, if someone had posted a response (and someone has -- thanks Jim Bengtson for the help) showing the errors made but not answering the question asked I could have lived with being educated by others on the misuse of these phrases provided they did only that. Instead I was besieged by trolls foisting their opinions on what I aught and/or aught not to be doing. Trolls issue proclamations concerning what others aught and aught not be doing rather than actually answering the question asked. The fact that someone is in a position of authority does not preclude them from behaving like a troll. It just makes them a troll with a badge.

As for the troll with a badges arguement over my question being unclear....

The first clue as to what question is being asked is a little thing appearing at the end of a sentence called a "question mark". It looks like this: '?'.

Considering there is only ONE sentence in the entire posting with one of those marks... hmmm, perhaps I should have underlined it, increased the size of the type face and made it a different colour to make it more clear.

I made the question even more clear by stating (in a post script) that I wish to replace my current distribution rather than repair it. I even provided a reason. So what happened? The trolls chose to argue my reason wasn't justified so my question would become irrelevant. The trouble is though that it doesn't matter whether my reason is justifiable or not. You see I am using Linux and the reason I am using Linux (as opposed to M$ or A$ or ???) is precisely so I can decide how things happen on my computer. If one distribution doesn't do things the way I would like them then I can go to one that will. For instance, how many have flocked from their previous distribution in favor of Ubuntu precisely because Ubuntu does things the others won't??? So what do I get instead of an answer to the question... a troll with a badge (who by the way is a Ubuntu user) issuing proclamations concerning how in their opinion ridiculous people change their distribution of choice rather than fixing the one they currently have. Then this troll with a badge has the audacity to proclame that I am attacking people and need to tone it down a notch.

I wrote it before, I will write it again:

Trolls reframe the question.
Trolls argue symantics.
Trolls don't help others accomplish something but instead expect others to do it the troll's way.

RTFQ and ATFQ is what non-trolls do.


Now, go ahead and ban me troll with a badge. It's no great loss on my part since I now know that should I ever have a question again posting it on 'Linux Questions' will only result in being abused by not framing the question properly but will also be told what to do rather than helped with how I would like things to work.
 
0 members found this post helpful.
Old 02-17-2010, 12:53 AM   #9
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Debian, SL
Posts: 5,098

Rep: Reputation: 1102Reputation: 1102Reputation: 1102Reputation: 1102Reputation: 1102Reputation: 1102Reputation: 1102Reputation: 1102Reputation: 1102
This is just a configuration option in your display manager. What are you using? Eg kdm, gdm, xdm

Edit: Just read more of the thread: @OP sorry, seems my post will not help you.

Cheers,

Evo2.

Last edited by evo2; 02-17-2010 at 01:03 AM.
 
Old 02-17-2010, 01:07 AM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
HarveyPwca, I could indeed issue you a temporary ban right now, as you've done the complete opposite of what I asked of you with regards to chilling out. I'm not going to do that, though, and I'm instead going to let this one go by treating it as an aftershock of your original rant. Hopefully by now you've managed to get rid of whatever's been eating at you, and this thread may still stand a chance of getting back on topic and surviving. If you wish to discuss the moderation issue any further, I request that you contact me via email directly, as this is not the proper venue for you to take up those matters.

Last edited by win32sux; 02-17-2010 at 01:23 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
two factor authentication LinuxLover Linux - General 16 11-25-2009 09:03 AM
SSH + PAM + two-factor authentication tdnnash25 Linux - Security 21 06-18-2009 04:47 PM
LXer: How to secure VNC remote access with two-factor authentication LXer Syndicated Linux News 0 05-23-2007 02:46 PM
LXer: How to secure WebDAV with SSL and Two-Factor Authentication LXer Syndicated Linux News 0 04-18-2007 09:31 AM
Two-factor authentication XsuX Linux - Security 1 11-28-2004 05:13 AM


All times are GMT -5. The time now is 03:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration