Hacker News new | ask | show | jobs
by js4all 5380 days ago
What a great solution. I will use it, but...

I guess I found a serious security problem.

When logging ssh commands with '-vT', I can see the secret. The secret should be hard coded in the two_factor script.
1 comments
moomerman 5379 days ago
I don't see the secret in the output when I run that command. It just says:

debug1: Remote: Forced command.

link
moomerman 5379 days ago
It seems that certain versions of OpenSSH do print out the command and parameters so I've updated the blog post to include a work-around
link