Two-factor authentication for SSH
SSH "secure shell" - a network protocol for establishing a secure connection between hosts, standard on port 22 (which is better to change). SSH clients and SSH servers are available for most operating systems. Virtually any other network protocol works inside SSH, that is, you can remotely work on another computer, transfer an audio stream or video over an encrypted channel, etc. In addition, through a SOCKS proxy on a remote host, you can connect to other hosts on behalf of this remote host.
Authentication occurs with a password, but developers and system administrators traditionally use SSH keys. The problem is that the secret key can be stolen. Adding a passphrase theoretically protects against theft of the secret key, but in practice they can still be used without confirmation for forwarding and caching keys. Two-factor authentication solves this problem.
Honeycomb developers recently published detailed instructions on how to implement the appropriate infrastructure on the client and server.
The instruction assumes that you have a certain basic host opened in the Internet (bastion). You want to connect to this host from laptops or computers via the Internet, and get access to all other devices that are behind it. 2FA ensures that an attacker cannot do the same, even if he gains access to your laptop, for example, by installing malware.
')
OTP - one-time digital passwords, which in this case will be used for SSH authentication along with the key. Developers write that this is not the ideal option, because an attacker can raise a fake bastion, intercept your OTP and use it. But this is better than nothing.
In this case, the following lines are written to the Chef config on the server side:
On the client side any OTP application is put: Google Authenticator, Authy, Duo, Lastpass,
As a result, you can connect to the bastion and make sure that now he requires not only a passphrase, but also an OTP code for authentication:
In this case, the user is not required to enter the OTP code each time, since the second factor is the hardware device or biometrics.
Here, the Chef configuration is a bit more complicated, and the client configuration depends on the OS. But after performing all the actions, clients on MacOS can confirm authentication in SSH using a passphrase and finger on the sensor (the second factor).
The owners of iOS and Android confirm the entrance by pressing a single button on the smartphone . This is a special technology from Krypt.co that is even safer than OTP.
On Linux / ChromeOS, there is the option of working with YubiKey USB tokens. Of course, an attacker can kidnap your token, but he still does not know the password phrase.
Authentication occurs with a password, but developers and system administrators traditionally use SSH keys. The problem is that the secret key can be stolen. Adding a passphrase theoretically protects against theft of the secret key, but in practice they can still be used without confirmation for forwarding and caching keys. Two-factor authentication solves this problem.
How to implement two-factor authentication
Honeycomb developers recently published detailed instructions on how to implement the appropriate infrastructure on the client and server.
The instruction assumes that you have a certain basic host opened in the Internet (bastion). You want to connect to this host from laptops or computers via the Internet, and get access to all other devices that are behind it. 2FA ensures that an attacker cannot do the same, even if he gains access to your laptop, for example, by installing malware.
')
The first option is OTP
OTP - one-time digital passwords, which in this case will be used for SSH authentication along with the key. Developers write that this is not the ideal option, because an attacker can raise a fake bastion, intercept your OTP and use it. But this is better than nothing.
In this case, the following lines are written to the Chef config on the server side:
metadata.rbattributes/default.rb(fromattributes.rb)files/sshdrecipes/default.rb(copy fromrecipe.rb)templates/default/users.oath.erb
On the client side any OTP application is put: Google Authenticator, Authy, Duo, Lastpass,
brew install oath-toolkit or apt install oathtool openssl , then a random string base16 is generated (key). It is converted to Base32 format, which is used by mobile authenticators, and imported directly into the application.As a result, you can connect to the bastion and make sure that now he requires not only a passphrase, but also an OTP code for authentication:
➜ ssh -A bastion Enter passphrase for key '[snip]': One-time password (OATH) for '[user]': Welcome to Ubuntu 18.04.1 LTS... The second option is hardware authentication.
In this case, the user is not required to enter the OTP code each time, since the second factor is the hardware device or biometrics.
Here, the Chef configuration is a bit more complicated, and the client configuration depends on the OS. But after performing all the actions, clients on MacOS can confirm authentication in SSH using a passphrase and finger on the sensor (the second factor).
The owners of iOS and Android confirm the entrance by pressing a single button on the smartphone . This is a special technology from Krypt.co that is even safer than OTP.
On Linux / ChromeOS, there is the option of working with YubiKey USB tokens. Of course, an attacker can kidnap your token, but he still does not know the password phrase.
Source: https://habr.com/ru/post/448970/
All Articles