Two-factor authentication for SSH

    “Secure Shell” SSH is a network protocol for establishing a secure connection between hosts, standard on port 22 (which is better to change). SSH clients and SSH servers are available for most operating systems. Almost any other network protocol works inside SSH, that is, you can remotely work on another computer, transmit an audio stream or video over an encrypted channel, etc. In addition, through SOCKS proxies on a remote host, you can connect to other hosts on behalf of this remote host.

    Authentication takes place with a password, but developers and system administrators traditionally use SSH keys. The problem is that the secret key can be stolen. Adding a passphrase theoretically protects against theft of a private key, but in practice, when forwarding and caching keys, theycan still be used without confirmation . Two-factor authentication solves this problem.

    How to implement two-factor authentication

    Honeycomb developers recently published detailed instructions on how to implement the appropriate infrastructure on the client and server.

    The instruction assumes that you have a certain base host that is open on the Internet (bastion). You want to connect to this host from laptops or computers via the Internet, and gain access to all other devices that are behind it. 2FA ensures that an attacker cannot do the same even if he gets access to your laptop, for example, by installing malware.

    The first option is OTP

    OTP - one-time digital passwords, which in this case will be used for SSH authentication along with the key. Developers write that this is not an ideal option, because an attacker can pick up a fake bastion, intercept your OTP and use it. But this is better than nothing.

    In this case, the following lines are written to the Chef config on the server side:

    • metadata.rb
    • attributes/default.rb(of attributes.rb)
    • files/sshd
    • recipes/default.rb(copy from recipe.rb)
    • templates/default/users.oath.erb

    Any OTP application is installed on the client side: Google Authenticator, Authy, Duo, Lastpass, installed brew install oath-toolkitor apt install oathtool openssl, then a random base16 string (key) is generated. It is converted to Base32 format, which is used by mobile authenticators, and imported directly into the application.

    As a result, you can connect to the bastion and make sure that now it requires not only a passphrase, but also an OTP code for authentication:

    ➜ ssh -A bastion
    Enter passphrase for key '[snip]': 
    One-time password (OATH) for '[user]': 
    Welcome to Ubuntu 18.04.1 LTS...

    Option Two - Hardware Authentication

    In this case, the user is not required to enter an OTP code each time, since the second factor is the hardware device or biometrics.

    Here, the configuration of Chef is a little more complicated, and the configuration of clients depends on the OS. But after completing all the steps, clients on MacOS can confirm authentication in SSH using a passphrase and applying a finger to the sensor (second factor).

    Owners of iOS and Android confirm the entry by pressing a single button on the smartphone . This is a special technology from, which is even safer than OTP.

    On Linux / ChromeOS, there is an option to work with YubiKey USB tokens. Of course, an attacker can steal your token, but he still does not know the passphrase.

    Also popular now: