Two-Factor Authentication is important thing today. Definitely we will avoid a Third Party Service Provider Like Google for OpenStack Cloud. Right now; Authentication as a Service (AaaS), Logging as a Service (LaaS) are part of core corporate strategies and Cloud Computing Risk Analysis is definitely important today.
In the colorful light of PRISM like Governmental Spyware Activities and their private kind of “partners”, Google and Microsoft services should not be used by any means which involves corporate data – that includes even the Public website. As Google and Microsoft is out; we have to think about the other options, better if the Two-Factor Authentication system is fully of an Open Source model. We are talking corporate data, whether Google Two-Factor Authentication is suitable for your personal usage or not – clearly we are unable to predict.
Two-Factor Authentication in OpenStack Cloud
Two-factor authentication adds an extra layer of security on top of user name and password style authentication that Keystone supports by default. Again Major Hayden’s name arrives :
You can read the bigger doc here :
Most actually assume, Two-Factor Authentication / Multi-Factor Authentication is limited to Google Style text message or voice call based authentication. RSA fingerprint, restricting access to login by key pair match is also another type of Two-Factor Authentication. If you want Google Authenticator PAM module to secure your SSH login, that is quite easy to setup :
sudo apt-get install libpam-google-authenticator
auth required pam_google_authenticator.so
# change no to yes
# type and hit enter
# answer the questions there, restart
# or reboot
In this scenario, Google’s Server is acting as a middle man to handle the SSH session. This is not a very secure setup as anyone can understand. It is only good for login to website like lesser important events.
But I need Two-Factor Authentication in OpenStack Cloud in that Text Message Form
Then, possibly you will opt for some Third Party services as they involves PUSH message system and other Protocols. There is doc for that part too :
It is quite difficult to implement in-premise / rented server setup. It will require 5-6 Servers for the full control. Obviously, if the data centers are different, the probability of getting under attack becomes lesser.
For lesser important servers, consider to set up the open-source CAS SSO product with the WiKID Strong Authentication Server for two-factor authentication for sessions and mutual https authentication for host authentication.