A Cloudflare engineer presents a solution for secure authentication over text-based/serial interfaces used in emergency out-of-band server access. The talk covers why passwords and standard OTPs fall short for this use case, then proposes a public-key-based OTP scheme using ECDH with existing SSH keys. The server presents a one-time public key challenge; the client computes a shared secret using their SSH private key and returns a short (8-byte) base64-encoded response. Implementation is done via a custom Linux PAM module that integrates with the login program, supporting both software SSH keys and hardware PIV keys (YubiKey) for full 2FA. A 'Clippy' wrapper tool automates the challenge-response flow to improve UX for operations teams.
Sort: