Multi-Factor Authentication for Cheap.
Yes, cheap as in free. Steve Gibson, the superbly geeky old man of SpinRite fame, developed a printed passcode system for multi-factor authentication. It uses a Rijndael block cipher to generate a sequence of “pseudo-random” characters that allow a Systems Administrator to effectively lock down administrative access with very little overhead. Basically, you carry around a credit-card sized printout, and every time you try to log in, you punch in your username, password, and the next passcode (it prompts you for the correct one). The nice thing is that it’s free and easy to implement, and it’s cake on Debian. It’s not ported everywhere, so it’s not ubiquitous yet. However, with enough folks pitching in and developing front-ends for this product, this system can exponentially (literally) improve the security of your internet-facing systems.
Go to the GRC website to find out more.
PS. Almost forgot. Once you install the PAM module and lock down SSH for your admin accounts, don’t forget to disable su for your normal users. They shouldn’t need it anyways, but if it is enabled, then all someone has to do is crack a normal user account and su into your admin account, without having to get a hold of your passcode card.