Add two-factor OTP authentication to SSH in 10 minutes
Situation: you have a park of Linux-servers where you regularly log in via SSH. Two-factor authentication for SSH with an iron key or Google Authenticator is configured, maybe simple, but it’s not always convenient to make this setting on each server, there may be too many of them, or it’s just scary to restart sshd :)
A way out of this situation may be an intermediate authentication server. We have already written about the layout of our solution (Isolate) in open source , in the same article - instructions for setting up an authentication server with two-factor authentication using one-time keys via Google Authenticator.
Let's start with the Isolate deployment, for this you need CentOS 7, Ubuntu 16.04 or a Debian 8 machine:
')
1. Prepare the system for installing Isolate:
Centos:
Ubuntu:
2. Download Isolate itself:
3. To run ansible on the same machine, we bring it to the form (you can run either from a remote machine, server or desktop Linux / MacOS, or directly on the machine on which you deploy Isolate):
four.
We are waiting for execution. In case Ubuntu swears at the Upgrading installed packages (APT) step, we do:
5. Add to the end / etc / bashrc (Centos) or /etc/bash.bashrc (Ubuntu)
6. Reboot the machine. Done!
1. Add to the end of /etc/pam.d/sshd (Centos) a line, or in /etc/pam.d/common-auth (Ubuntu)
2
3. At the end of / etc / ssh / sshd_config
four.
5. Add a user to enable oauth
6. Generate TOTP or HOTP tokens:
Add a token through a QR code in Google Authenticator:
7
8. Add the line obtained in paragraph 6 to /etc/oath/users.oath
9. We look at the password from redis
Add an entry to / etc / bashrc (Centos) or /etc/bash.bashrc (Ubuntu)
Now that we have a ready server for two-factor authentication, we can add our own servers. To do this, you must first add the server information to Isolate, then create users and put the keys on the target server.
Add a server to which we will go:
You can view the list of servers using the s command:
On the server 10.0.0.1 we create the user support and assign it the key from /home/auth/.ssh/id_rsa.pub from the Isolate server:
Now on the Isolate server, we can use the s commands to find the server we need and g to go to a specific server:
Now you need to go to all the added servers from the authentication one: by one-time code and password, go to Isolate, and then to the required server. Direct on the server in this case, you should not go, because then the meaning of two-factor authorization is lost. Well, in general, remove the keys, users, etc. :)
As usual, comments, additions and, of course, pool requests are welcome! Github project .
A way out of this situation may be an intermediate authentication server. We have already written about the layout of our solution (Isolate) in open source , in the same article - instructions for setting up an authentication server with two-factor authentication using one-time keys via Google Authenticator.
Let's start with the Isolate deployment, for this you need CentOS 7, Ubuntu 16.04 or a Debian 8 machine:
')
1. Prepare the system for installing Isolate:
Centos:
yum install ansible git Ubuntu:
apt update; apt install git python-pip pip install ansible 2. Download Isolate itself:
git clone https://github.com/itsumma/isolate.git 3. To run ansible on the same machine, we bring it to the form (you can run either from a remote machine, server or desktop Linux / MacOS, or directly on the machine on which you deploy Isolate):
[main] localhost ansible_connection=local four.
ansible-playbook -i isolate/ansible/hosts.ini isolate/ansible/main.yml We are waiting for execution. In case Ubuntu swears at the Upgrading installed packages (APT) step, we do:
apt dist-upgrade 5. Add to the end / etc / bashrc (Centos) or /etc/bash.bashrc (Ubuntu)
if [ -f /opt/auth/shared/bash.sh ]; then source /opt/auth/shared/bash.sh; fi 6. Reboot the machine. Done!
Getting Started with oauth
1. Add to the end of /etc/pam.d/sshd (Centos) a line, or in /etc/pam.d/common-auth (Ubuntu)
auth required pam_oath.so usersfile=/etc/oath/users.oath window=20 digits=6 2
sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config 3. At the end of / etc / ssh / sshd_config
Match Group auth AuthenticationMethods keyboard-interactive four.
systemctl restart sshd 5. Add a user to enable oauth
auth-add-user _ 6. Generate TOTP or HOTP tokens:
gen-oath-safe _ totp gen-oath-safe _ hotp Add a token through a QR code in Google Authenticator:
7
touch /etc/oath/users.oath chmod 0600 /etc/oath/users.oath 8. Add the line obtained in paragraph 6 to /etc/oath/users.oath
9. We look at the password from redis
grep requirepass /etc/redis.conf Add an entry to / etc / bashrc (Centos) or /etc/bash.bashrc (Ubuntu)
ISOLATE_BACKEND=redis ISOLATE_REDIS_HOST="127.0.0.1"; ISOLATE_REDIS_PORT="6379"; ISOLATE_REDIS_DB=0; ISOLATE_REDIS_PASS=redis_pass; export ISOLATE_REDIS_HOST; export ISOLATE_REDIS_PORT; export ISOLATE_REDIS_PASS; export ISOLATE_REDIS_DB; Add servers
Now that we have a ready server for two-factor authentication, we can add our own servers. To do this, you must first add the server information to Isolate, then create users and put the keys on the target server.
Add a server to which we will go:
auth-add-host --project server-admin --server-name ubuntu --ip 10.0.0.1 You can view the list of servers using the s command:
Add user to server
On the server 10.0.0.1 we create the user support and assign it the key from /home/auth/.ssh/id_rsa.pub from the Isolate server:
SUPPORT_USER="support" KEY="<YOU KEY HERE>" useradd -m ${SUPPORT_USER} mkdir /home/${SUPPORT_USER}/.ssh echo ${KEY} >> /home/${SUPPORT_USER}/.ssh/authorized_keys chmod 600 /home/${SUPPORT_USER}/.ssh/authorized_keys chmod 700 /home/${SUPPORT_USER}/.ssh/ chown -R ${SUPPORT_USER}:${SUPPORT_USER} /home/${SUPPORT_USER}/.ssh/ echo "${SUPPORT_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers Now on the Isolate server, we can use the s commands to find the server we need and g to go to a specific server:
g ip_ - g 10.0.0.1 g _ - g server-admin ubuntu Now you need to go to all the added servers from the authentication one: by one-time code and password, go to Isolate, and then to the required server. Direct on the server in this case, you should not go, because then the meaning of two-factor authorization is lost. Well, in general, remove the keys, users, etc. :)
As usual, comments, additions and, of course, pool requests are welcome! Github project .
Source: https://habr.com/ru/post/335686/
All Articles