Anyone have luck setting up two-factor auth for Fedora in "the Cloud" - preferably, at AWS? Yes, I got one of the token generators discussed at http://aws.amazon.com/mfa/
However, those only appear to help with authentication to (per the faq):
- Secure pages on the AWS Portal (http://aws.amazon.com) - AWS Management Console (https://console.aws.amazon.com)
What if I need to multi-factor auth to the instances themselves? Anyone know if there's a service out there that does this for Fedora (or RedHat, which can easily be made to work for...) instances in the "cloud?"
I'm used to doing this locally and then making the remote systems only allow access via a limited number of machines (which themselves do 2-factor). I'm now in a situation though with every workstation being outside the trust zone completely, VPN not being something that could change that (too many details...), and thus needing to accomplish the 2-factor in the cloud itself. Most of the results from "two factor authentication cloud" I get are about cloud-based providers authenticating the local machines...versus what I need, which is a service that I can auth cloud-based machines against for the second factor. I know of many industries that would *have* to have a 2-factor solution to use cloud instances, so surely my google-fu is just not working...anyone gone down this road themselves yet?
Brian
Right, the AWS two factor auth is just for access to their stuff and not at all related to instance auth.
You basically want anything that can be used for two factor auth in Fedora? The Yubikeys should work (http://www.yubico.com/yubikey) and I also vaguely remember that Google released a library with a pam module for their two factor auth a few months ago although I'm not finding a link to it in a quick check
- Jeremy
On Fri, Jan 28, 2011 at 4:42 PM, Brian LaMere brian@cukerinteractive.com wrote:
Anyone have luck setting up two-factor auth for Fedora in "the Cloud" - preferably, at AWS? Yes, I got one of the token generators discussed at http://aws.amazon.com/mfa/ However, those only appear to help with authentication to (per the faq):
Secure pages on the AWS Portal (http://aws.amazon.com) AWS Management Console (https://console.aws.amazon.com)
What if I need to multi-factor auth to the instances themselves? Anyone know if there's a service out there that does this for Fedora (or RedHat, which can easily be made to work for...) instances in the "cloud?" I'm used to doing this locally and then making the remote systems only allow access via a limited number of machines (which themselves do 2-factor). I'm now in a situation though with every workstation being outside the trust zone completely, VPN not being something that could change that (too many details...), and thus needing to accomplish the 2-factor in the cloud itself. Most of the results from "two factor authentication cloud" I get are about cloud-based providers authenticating the local machines...versus what I need, which is a service that I can auth cloud-based machines against for the second factor. I know of many industries that would *have* to have a 2-factor solution to use cloud instances, so surely my google-fu is just not working...anyone gone down this road themselves yet? Brian _______________________________________________ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud
Yeah, I guess it's not really cloud specific, other than the idea that it's for remote systems that are in networks I don't control, and it needs to be a setup that is easily replicated/deployed...you know, like an AWS instance, or such ;)
I had looked around for a pam module for the google auth not terribly long ago and didn't find anything that was outside of alpha-level stuff.
Brian
On Fri, Jan 28, 2011 at 6:36 PM, Jeremy Katz katzj@fedoraproject.orgwrote:
Right, the AWS two factor auth is just for access to their stuff and not at all related to instance auth.
You basically want anything that can be used for two factor auth in Fedora? The Yubikeys should work (http://www.yubico.com/yubikey) and I also vaguely remember that Google released a library with a pam module for their two factor auth a few months ago although I'm not finding a link to it in a quick check
- Jeremy
On Fri, Jan 28, 2011 at 4:42 PM, Brian LaMere brian@cukerinteractive.com wrote:
Anyone have luck setting up two-factor auth for Fedora in "the Cloud" - preferably, at AWS? Yes, I got one of the token generators discussed at http://aws.amazon.com/mfa/ However, those only appear to help with authentication to (per the faq):
Secure pages on the AWS Portal (http://aws.amazon.com) AWS Management Console (https://console.aws.amazon.com)
What if I need to multi-factor auth to the instances themselves? Anyone know if there's a service out there that does this for Fedora (or RedHat, which can easily be made to work for...) instances in the "cloud?" I'm used to doing this locally and then making the remote systems only
allow
access via a limited number of machines (which themselves do 2-factor).
I'm
now in a situation though with every workstation being outside the trust zone completely, VPN not being something that could change that (too many details...), and thus needing to accomplish the 2-factor in the cloud itself. Most of the results from "two factor authentication cloud" I get are about cloud-based providers authenticating the local
machines...versus
what I need, which is a service that I can auth cloud-based machines
against
for the second factor. I know of many industries that would *have* to
have
a 2-factor solution to use cloud instances, so surely my google-fu is
just
not working...anyone gone down this road themselves yet? Brian _______________________________________________ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud
cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud
Dear all,
As rightly pointed out, there is a distinction between securing access to your cloud servers and access to cloud infrastructure management tools. Actually securing access to infrastructure management tools is vital given the power they have over cloud infrastructure in a way you would rarely see for management tools on dedicated hardware. For example deleting whole drives and servers!
For example we offer two-factor authentication to our web console (using an SMS delivered code for the second stage) which works very well and is easily implemented. In our case root access is retained by the customer and we don't have access to it, as such securing the cloud server falls under the full control of the customer. Implementing stronger authentication on the cloud server then becomes a matter of the networking and control granted by the cloud vendor over the cloud server. In our case its open networking and full control so you set-up whatever authentication you need in the same way as on dedicated hardware. On other platforms you may need to work around their firewalls and installation restrictions to get things working within the servers.
We wrote some blog posts on cloud security in general which may be of interest to subscribers of this list: Securing the network in the cloud: http://www.cloudsigma.com/en/blog/2010/09/13/10-security-in-a-public-iaas-cl... Securing access to cloud servers: http://www.cloudsigma.com/en/blog/2010/09/19/11-security-in-the-cloud-access... Securing data storage: http://www.cloudsigma.com/en/blog/2010/12/04/15-security-in-the-cloud-data-s...
Kind regards,
Robert