DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default Two Factor Authentication

Dear All,

How to implement Two Factor Authentication into su command ? Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 13th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,028
Default

For access to the root account, two-factor authentication is already mandatory in order to use su(1).
  1. Be authenticated by successfully logging in to an account in the wheel group.
  2. Know the root password.
System accounts such as those used by daemons do not have passwords, so that su(1) cannot be used to obtain their credentials.

For end-user accounts, such as those used by you or your users, these require only a single factor authentication: knowledge of the account's password.

But that is only if an end-user account has a password, used for local login. An account used for remote login via SSH may use other authentication mechanisms, and does not require a password. If remote end-user accounts are established without passwords, su(1) could not be used to authenticate as those users.
Reply With Quote
  #3   (View Single Post)  
Old 18th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Thanks for the informative explanation.

Questions:
How to disable any users add to wheel group and nobody can edit the /etc/group file? (systrace perhaps)
Reply With Quote
  #4   (View Single Post)  
Old 18th June 2015
sacerdos_daemonis's Avatar
sacerdos_daemonis sacerdos_daemonis is offline
Real Name: Will forever be a secret.
Spam Deminer
 
Join Date: Sep 2014
Posts: 283
Default

Perhaps I misunderstand the question, but editing files in the /etc directory requires the root password. So it should not be necessary to remove that ability from users. If you have given users sudo privileges, they should only have root access to whatever you allow.

I have a feeling I am missing something in the question. If so, please elaborate.
Reply With Quote
  #5   (View Single Post)  
Old 18th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,028
Default

I think Peter is unclear about the authority granted to a standard user, compared with the authority of the super user.

Peter, the wheel group is just like any other group -- used for filesystem access control -- except that it one of the two factors for root user authorization access with su(1).

Let's look at the specific file where wheel group access is defined: /etc/group. According to group(5), group memberships are defined here.

Groups are used to define access controls to filesystems. And, for su(1), membership in the wheel group is needed for root user access.

There are three layers of access control for any file, or any directory. user, group, and world. Let's look at one file, for example. /etc/group. Here's mine:
Code:
4 -rw-r--r--  1 root  wheel  1266 Jun 12 23:44 /etc/group
The "root wheel" tells me that the file is owned by the user root, and assigned to the group wheel.

The "-rw-r-r--" is the access granted to the user, to the assigned group, and to the world, which is all other users. The file is readable and writeable by the user root, readable by other users who are in the group wheel, and also readable by any other users on this system.

The root user is the superuser, and access to all files is granted to root regardless of ownership or group assignment.
Reply With Quote
  #6   (View Single Post)  
Old 20th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Thanks. From your opinion and experience, granted access as superuser with su or sudo. Which one has far better than the other (Lock down access) ?

Last edited by Peter_APIIT; 20th June 2015 at 02:26 AM. Reason: added questions
Reply With Quote
  #7   (View Single Post)  
Old 20th June 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by Peter_APIIT View Post
Which one has far better than the other (Lock down access) ?
sudo(8).
Reply With Quote
  #8   (View Single Post)  
Old 20th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,028
Default

Sudo. I'd recommended it to jkl three days ago here, which you must have missed. But even better, today ocicat very clearly compared su and sudo. I'll quote his post directly out of that thread, because I think it is both better and clearer than what I had to say. He and I both recommended the same book.
Quote:
Originally Posted by ocicat View Post
su(1) implements an either-or scheme -- either one has the administrative password, or one does not, and if one has knowledge of the password, one has access to everything.

Keeping the password secret also becomes harder as more administrators are needed. Plus, this creates more instances where the password can be compromised.

sudo(8) implements a scheme where knowledge of the administrative password is not required, and administrative work can divided between many, & each has access to only what they need -- not everything.

While this sounds bureaucratic in how to manage a staff, sudo(8) simplifies administrative tasks of single-user systems too.

The real value of sudo(8) is how an administrative policy can be flexibly constructed for large and small systems alike.

Readers are encouraged to read Michael Lucas' book on this very topic:

https://www.michaelwlucas.com/nonfiction/sudo-mastery

Highly recommended.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory Authentication ComputerErik OpenBSD General 3 20th May 2011 03:21 AM
ZeuS trojan attacks bank's 2-factor authentication J65nko News 0 22nd February 2011 02:38 PM
NTLM Authentication plexter FreeBSD Security 1 7th January 2011 08:43 PM
Cups , authentication issue welkin FreeBSD Installation and Upgrading 2 7th March 2010 01:03 AM
openldap for authentication rajendra_nagi FreeBSD General 9 17th July 2008 06:43 PM


All times are GMT. The time now is 11:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick