• A guide to designing Account Security Mechanisms

    The history of the Internet is rife with examples of compromises arising both from poor security hygiene, and also from misguided attempts to "make it more secure" without first considering the implications of changes.

    In this post, I'll be detailing some of the decisions you should be making when designing account security and user management functionality.

    There's likely little in here that hasn't already been stated elsewhere, but I thought it might be helpful to put it all together in one post.

    The post itself is quite long, so headings are clicky links to themselves. For those with limited time, there's a Cheat Sheet style summary towards the bottom.

  • CentOS: Requiring a Yubikey OTP for SSH Password logins

    The increasing ubiquity of the Yubikey makes it an ideal candidate for a Two-Factor Authentication mechanism, and configuring a CentOS based server to require a push of a Yubikey is particularly easy.

    By the end of this documentation, we'll have configured a CentOS server to require that a user provide the following in order to login via SSH, unless they already have a valid RSA key pair configured on the server

    • Username (obviously)
    • Account password
    • Valid Yubikey OTP

    For the sake of this documentation, we'll assume that you're using Yubico's validation servers (Yubicloud) rather than running your own (though if you are doing the latter, there's only one change in the configuration).