Tech, Gadgets, Photography, Social Media and Poor Spelling
A couple of weeks ago I wrote a post on using a Chromebook to develop on a cloud platform. Its based on a Digital Ocean remote server and like most people who wish to attach to the command line interface on a remote server I use SSH. It’s an encrypted connection over the network/internet from end to end. However being a cloud server I was wondering if it was possible to secure this a little bit more?
A chat with a friend on the way into work provided me with a solution.
The solution is Two Factor authentication a system beased on a simple premise, something you know (the SSH password in this case) and something you have (your mobile phone in this case, but it could be a secure token) which will deliver a random number.
Two-factor authentication enhances the security of your online accounts by using your phone to verify your identity. This prevents anyone but you from accessing your accounts, even if they know your password.
How It Works
You’ll enter your username and password as usual, then use your mobile phone to verify that it’s you.
No mobile phone? You can also use a landline or ask your administrator for a hardware token. Duo also lets you link multiple phones to your account, so you can use your mobile phone and a landline, a landline and a hardware token, etc.
Why Do I Need This?
Passwords are becoming increasingly easy to compromise. They can often be stolen, guessed, and hacked — you might not even know who else has your password and is accessing your account.
Two-factor authentication adds a second layer of security to your account to make sure that your account stays safe, even if someone else knows your password. And you’ll be alerted right away (on your phone) if someone does know your password and tries to log in with it.
This second factor of authentication is separate and independent from the username and password step — Duo never sees your password.
If you have enabled Google’s Two factor authentication this system then this solution will be familiar to you, it works in much the ame way with a random number being sent to your mobile.
The solution is provided by a company called Duo Security https://www.duosecurity.com/ and the solution is not just for Linux SSH, its a full corporate offering supporting VPN’s including the following vendors.
The site covers the basics of installing and suggests that within 15 minutes with no harware of software it can provide integration with the above VPN’s, not something I’ve personally tested (yet)
There is also an SDK available to add the system to your webpages with Client libraries are available for Python, Ruby, Classic ASP, ASP.NET, Java, PHP, Node.js, ColdFusion, and Perl. Again th site provides a guide on how to implement this and suggests its just a few lines of code.
What’s interesting as well, and useful for many companies is the support for Remote Microsoft services such as RDP and OWA.
Protecting remote access with two-factor authentication is the best way to protect your organization against phishing attacks, account takeover, and data theft. Duo Security enables you to easily deploy strong two-factor authentication on your Microsoft servers. Duo’s drop-in integrations for Outlook Web App (OWA), Remote Desktop (RDP), and Threat Management Gateway (TMG) make setting up and configuring Duo two-factor authentication fast and easy. Because Duo leverages your users’ existing devices — their mobile phones — as their authentication factor, deploying Duo two-factor authentication to your users is painless too.
However just go over to the companies webpage if you want to learn more about this stuff (https://www.duosecurity.com/solutions/overview)
Its SSH I was interested in, and setting it up on my Digital Ocean cloud server to protect my SSH Sessions a little bit more, the instructions the site provides cover several Linux versions (Ubuntu, Suse, Fedora, Gentoo) And I tested them on an Ubuntu 12.10 32bit server.
Duo can be enabled on any Unix system with the addition of a simple
login_duo utility or
pam_duo PAM module. The code is open-source and available on GitHub.
This integration communicates with Duo’s service on TCP port 443. it’s not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service’s high availability.
OpenSSL development headers and libraries are required for
login_duo, so you’ll want to install those first. libpam is also a required dependency for
pam_duo. See this README for dependency installation instructions on various platforms.
sudo apt-get install libssl-dev sudo apt-get install build-essential
Click here to download the latest version of duo_unix (checksum here). Then build and install:
tar zxf duo_unix-1.9.tar.gz cd duo_unix-1.9 ./configure --prefix=/usr && make && sudo make install
duo_unix is installed, edit
/etc/security) to add your integration key,secret key, and API hostname:
sudo nano /etc/duo/login_duo.conf [duo] ; Duo integration key ikey = INTEGRATION_KEY ; Duo secret key skey = SECRET_KEY ; Duo API hostname host = API_HOSTNAME
The key information is found on the Duo security Integrations page you setup earlier
As a regular user, test
login_duo manually by running
If everything is set up correctly, you’ll be given an enrolment link and prompted to enrol:
Visit the URL, enroll your phone, and then try
login_duo again, this time adding a command to run after authentication is complete:
/usr/sbin/login_duo echo 'YOU ROCK!'
You should see something like this:
To protect remote access via SSH, use
To enable two-factor authentication for any SSH login method (password, pubkey, etc.) for any user, edit your
sshd_config (usually in
/etc/ssh) to add the following line at the end:
sudo nano /etc/ssh/sshd_config
It’s strongly recommend that you disable PermitTunnel and AllowTcpForwarding in your
sshd_config when using
login_duo to protect SSH logins. Since OpenSSH sets up port forwarding and tunneling before Duo’s two-factor challenge, an attacker may be able to access internal services via port forwarding before completing secondary authentication. Adding the following lines to your
sshd_config will prevent this scenario:
PermitTunnel no AllowTcpForwarding no
There are additional instructions on the site for individual user configs, using pam_duo and a few other bits.
The phone support starts out as being the location SMS massages, or phone calls are made to to authenticate. These however cost telephony credits, you get a thousand but have to pay for more. The phone apps are linked to your account and provide via an app on the IOS, Android, Blackberry and WP7/8 Devices. I’ve got this on my Blackberry and Nokia Lumia and when prompted for a code or an SMS, i just generate a code on the phone app.
Duo Push is an out-of-band authentication mechanism over a mutually-authenticated secure transport, and is resilient against even the most sophisticated man-in-the-browser and credential-stealing attacks. Login requests are signed with an asymmetric PKCS#1 v1.5 key pair, which provides a stronger identity assertion than passcodes and prevents “RSA-style” breaches.Read more »
Services like this live and die by the support they can get, the VPN support is highly impressive however i’d like to see it being picked up by more services like Drupal has done. I’m going to contact Owncloud and see if they can add the service.
This is a simple system to install and has a huge number of options, it’s a good free option and Windows Phone 8 software is just another Win for me..