Do you know an alternative to libpam-google-authenticator and do you think it should be implemented in Cloudron ?

JOduMonT

For the common of mortal libpam-google-authenticator allow you to request a OTP for your SSH connection. (more info)

Since nothing is bullet proof and security work by layer, I tough it might worth it to add a layer on this precious access.

What do you think ?

mehdi

I think this can be installed manually by the admin on the underlying OS.

I do think it's valuable, but I believe it should be kept separate from cloudron and installed by itself on the side, a bit like Fail2ban is today. It could however be mentioned in the docs, again like fail2ban ( https://cloudron.io/documentation/security/#fail2ban )

JOduMonT

@mehdi said in Do you know an alternative to libpam-google-authenticator and do you think it should be implemented in Cloudron ?:

again like fail2ban ( https://cloudron.io/documentation/security/#fail2ban )

LOL! I thought Fail2Ban was installed by default and every containers, or at least few, where interacting with it, not to mention it again but MailCow run fail2ban by default as a container to protect SOGo and the entire Mail Stack.

girish

For the moment, I will add it to our docs as @mehdi suggested.

girish

I have added a section here to follow this DO guide

JOduMonT

@girish said in Do you know an alternative to libpam-google-authenticator and do you think it should be implemented in Cloudron ?:

I have added a section here to follow this DO guide

thanks for your consideration
BTW I tried to update (PR) the ipset part of the doc since maxmind change their licensing and this command don't work anymore

wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip

girish

@JOduMonT Thanks! merged, should be part of our next deploy.