projectz

Tech, Gadgets, Photography, Social Media and Poor Spelling

Enabling Dual Factor Authentication on Linux SSH logins..

havknow

A couple of weeks ago I wrote a post on using a Chromebook to develop on a cloud platform. Its based on a Digital Ocean remote server and like most people who wish to attach to the command line interface on a remote server I use SSH. It’s an encrypted connection over the network/internet from end to end. However being a cloud server I was wondering if it was possible to secure this a little bit more?

A chat with a friend on the way into work provided me with a solution.

The solution is Two Factor authentication a system beased on a simple premise, something you know (the SSH password in this case) and something you have (your mobile phone in this case, but it could be a secure token) which will deliver a random number.

Two-factor authentication enhances the security of your online accounts by using your phone to verify your identity. This prevents anyone but you from accessing your accounts, even if they know your password.

How It Works

You’ll enter your username and password as usual, then use your mobile phone to verify that it’s you.

No mobile phone? You can also use a landline or ask your administrator for a hardware token. Duo also lets you link multiple phones to your account, so you can use your mobile phone and a landline, a landline and a hardware token, etc.

Why Do I Need This?

Passwords are becoming increasingly easy to compromise. They can often be stolen, guessed, and hacked — you might not even know who else has your password and is accessing your account.

Two-factor authentication adds a second layer of security to your account to make sure that your account stays safe, even if someone else knows your password. And you’ll be alerted right away (on your phone) if someone does know your password and tries to log in with it.

This second factor of authentication is separate and independent from the username and password step — Duo never sees your password.

If you have enabled Google’s Two factor authentication this system then this solution will be familiar to you, it works in much the ame way with a random number being sent to your mobile.

Duo Security

The solution is provided by a company called Duo Security https://www.duosecurity.com/ and the solution is not just for Linux SSH, its a full corporate offering supporting VPN’s including the following vendors.

Duo Security Offers Two-factor Authentication for Juniper, Cisco, Array, Palo Alto, F5 FirePass, SonicWALL, Citrix, Barracuda, Fortinet, and OpenVPN

The site covers the basics of installing and suggests that within 15 minutes with no harware of software it can provide integration with the above VPN’s, not something I’ve personally tested (yet)

There is also an SDK available to add the system to your webpages with Client libraries are available for PythonRubyClassic ASPASP.NETJavaPHPNode.jsColdFusion, and Perl. Again th site provides a guide on how to implement this and suggests its just a few lines of code.

What’s interesting as well, and useful for many companies is the support for Remote Microsoft services such as RDP and OWA.

Protecting remote access with two-factor authentication is the best way to protect your organization against phishing attacks, account takeover, and data theft. Duo Security enables you to easily deploy strong two-factor authentication on your Microsoft servers. Duo’s drop-in integrations for Outlook Web App (OWA), Remote Desktop (RDP), and Threat Management Gateway (TMG) make setting up and configuring Duo two-factor authentication fast and easy. Because Duo leverages your users’ existing devices — their mobile phones — as their authentication factor, deploying Duo two-factor authentication to your users is painless too.

However just go over to the companies webpage if you want to learn more about this stuff (https://www.duosecurity.com/solutions/overview)

Its SSH I was interested in, and setting it up on my Digital Ocean cloud server to protect my SSH Sessions a little bit more, the instructions the site provides cover several Linux versions (Ubuntu, Suse, Fedora, Gentoo) And I tested them on an Ubuntu 12.10 32bit server.

Setting up Linux SSH Security

Overview

Duo can be enabled on any Unix system with the addition of a simple login_duo utility or pam_duo PAM module. The code is open-source and available on GitHub.

First Steps

Before starting:

  1. Sign up for a Duo account (There is a free option, which provides you with nearly all of the useful features the company offers)
  2. Create a new Duo Unix integration to get an integration key, secret key, and API hostname. This can be done from the DoeSecurity Admin page by clicking on Integrations then the Add New Integration button. A free account gets 10 integrations.

Connectivity Requirements
This integration communicates with Duo’s service on TCP port 443. it’s not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service’s high availability.

Instructions

1. Set up login_duo

OpenSSL development headers and libraries are required for login_duo, so you’ll want to install those first. libpam is also a required dependency for pam_duo. See this README for dependency installation instructions on various platforms.

on Ubuntu

sudo apt-get install libssl-dev
sudo apt-get install build-essential

Click here to download the latest version of duo_unix (checksum here). Then build and install:

tar zxf duo_unix-1.9.tar.gz
cd duo_unix-1.9
./configure --prefix=/usr && make && sudo make install

Once duo_unix is installed, edit login_duo.conf (in /etc/duo or /etc/security) to add your integration key,secret key, and API hostname:

sudo nano /etc/duo/login_duo.conf

[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAME

The key information is found on the Duo security Integrations page you setup earlier

2. Test login_duo

As a regular user, test login_duo manually by running

/usr/sbin/login_duo

If everything is set up correctly, you’ll be given an enrolment link and prompted to enrol:

Visit the URL, enroll your phone, and then try login_duo again, this time adding a command to run after authentication is complete:

/usr/sbin/login_duo echo 'YOU ROCK!'

You should see something like this:

3. Enable login_duo

To protect remote access via SSH, use login_duo.

To enable two-factor authentication for any SSH login method (password, pubkey, etc.) for any user, edit your sshd_config (usually in /etc or /etc/ssh) to add the following line at the end:

sudo nano /etc/ssh/sshd_config

ForceCommand /usr/sbin/login_duo

It’s strongly recommend that you disable PermitTunnel and AllowTcpForwarding in your  sshd_config when using login_duo to protect SSH logins. Since OpenSSH sets up port forwarding and tunneling before Duo’s two-factor challenge, an attacker may be able to access internal services via port forwarding before completing secondary authentication. Adding the following lines to your sshd_config will prevent this scenario:

PermitTunnel no
AllowTcpForwarding no

There are additional instructions on the site for individual user configs, using pam_duo and  a few other bits.

Phone Apps

Duo Push platformsThe phone support starts out as being the location SMS massages, or phone calls are made to to authenticate. These however cost telephony credits, you get a thousand but have to pay for more. The phone apps are linked to your account and provide via an app on the IOS, Android, Blackberry and WP7/8 Devices. I’ve got this on my Blackberry and Nokia Lumia and when prompted for a code or an SMS, i just generate a code on the phone app.

Duo Push is an out-of-band authentication mechanism over a mutually-authenticated secure transport, and is resilient against even the most sophisticated man-in-the-browser and credential-stealing attacks. Login requests are signed with an asymmetric PKCS#1 v1.5 key pair, which provides a stronger identity assertion than passcodes and prevents “RSA-style” breaches.Read more »

Could Add more..?

Services like this live and die by the support they can get, the VPN support is highly impressive however i’d like to see it being picked up by more services like Drupal has done. I’m going to contact Owncloud and see if they can add the service.

Conclusion

This is a simple system to install and has a huge number of options, it’s a good free option and Windows Phone 8 software is just another Win for me..

Links

Advertisements

3 comments on “Enabling Dual Factor Authentication on Linux SSH logins..

  1. Mike V
    May 12, 2013

    Solid article. Good job.

  2. Pingback: projectz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: