It Me: Under the Hood of Web Authentication | Robinson, Zhu

Garrett Robinson, Yan Zhu; It Me: Under the Hood of Web Authentication; At Some Conference; circa 2017-10; N slides.

Message

  1. Do not use (linear) string comparison, ever.
    Avoid: a == b
    Use: PRF(a) == PRF(b)
    where: Pseudo-Random Function PRF with HMACPRF
  2. Use U2F with Web Authentication
  3. 2FA is weakened by the Password Reset Flow
    • Uses SMTP to deliver secrets or capabilities.
    • SMTP is not encrypted.
    • SMTP’s STARTTLS is opportunistic and fails-open (fails to cleartext)

Mentions

How to secure SSH login with one-time passwords on Linux | Xmodulo

How to secure SSH login with one-time passwords on Linux; Editor; In Xmodulo; 2015-03-30.

Mentions

  • OTPW
  • Integrates via PAM
  • Not available on Fedora or Red Hat (you have to build from source).

Build

  • git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw
  • The Makefile requires manual editing
    PAMLIB=/usr/lib64/security

Operation

  • otpw-gen
  • ~/.otpw contains (hashed) pregenerated passwords)

Configuration

/etc/ssh/sshd_config

UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
UsePAM yes
PubkeyAuthentication yes
PasswordAuthentication no

/usr/sbin/sshd tries to write to user’s home directory, which is not allowed by default SELinux policy. You must manually update the SELinux policy.