![]() ![]() As a result, a lot of online services have had multi-factor authentication feature. However, in today’s world, some of the information security professionals view password alone as an antiquated technique in securing accounts. The use of complex passwords and password managers are good first steps toward securing accounts. If one account is compromised, then all of the other accounts could potentially be accessed by the bad guys. Since we’re not living in a perfect world, this leaves the accounts to be very insecure. In a perfect world (no bad guys) people would probably pick one password across all of their accounts. In a nutshell, making it convenient for users to access their account means it is less secure. Thoughtsīalancing security and convenience is one of the biggest dilemmas that information security professionals face. # Enable MFA using Google Authenticator PAMįrom now on, all user accounts with Google Authenticator secret key will need to enter a verification code. Once the file is open, add the lines below at the end of the file. To do this, we need to edit the login configuration file. So this way, anyone who has access to the physical machine will be subjected to two-step verification. It is probably a good idea to enable 2FA to the local login (console) too. If one forgets to add the nullok argument, then the system will not allow user accounts without the secret key. Here the admin account does not have the Google Authenticator secret key yet. In this example, I created a test user account for demo purposes.Īccount with no Google Authenticator secret key The last step to make SSH 2FA work is to generate a secret key for the two-step verification. Generating Google Authenticator Secret Key Once sshd is back up, test to make sure that user can still log in without two-step verification. To restart SSH service, issue sudo service ssh restart command. With that said, we need to restart SSH daemon (sshd). In Linux, changes to Linux configuration files require a service restart to take effect, for the most part. ![]() Once the file is open, look for the line with ChallengeResponseAuthentication no and change it to yes. To do this, we need to edit the OpenSSH configuration file. PAM) to use the challenge-response authentication method. The next step is to actually configure SSH to check for backend system (e.g. Once all secret keys are generated, take out the nullok argument. My recommendation is to enable 2FA for all users so make sure to have all the users generate the secret key. The argument simply means that if a user hasn’t created secret key yet, then they’re still allowed to log in. Though, the article did not include what nullok argument means. If you want to understand the syntax, please check this site. # Enable MFA using Google Authenticator PAMĪuth required pam_google_authenticator.so nullok The first line is optional, but it’s always best to add comment lines in my opinion. $ sudo vi /etc/pam.d/sshdĪt the bottom of the file, I added the following lines below. To do this, we need to edit the PAM configuration file for SSH. With that said, we’ll need to configure PAM configuration to pass it to Google Authenticator. PAM is a way for programs to use an underlying authentication mechanism. ![]() The Google Authenticator 2FA is accomplished by integrating into Linux’s Pluggable Authentication Modules (PAM) library. $ sudo apt-get install libpam-google-authenticator -y Configuring SSH PAM Installing Google Authenticator on Ubuntu 16.04 is a piece of cake. I will keep that going, mostly because I do not have time to learn another distro, like CentOS. Ubuntu has been my distro of choice for several years now, so all of my Linux-related tutorials have been on that. As a result, I’ve also decided to start implementing 2FA in my home devices. Understandably so, because the consensus is that password is no longer enough to protect accounts in this day and age. More and more security professionals are pushing organizations to use 2FA for every sensitive systems and application. It seems like two-factor authentication (2FA) is becoming a norm these days. Related: What is multi-factor authentication? As the title says, I will be using Google Authenticator to generate a time-based one-time password (TOTP) for two-step verification. This addition of security layer is based on defense in depth, which is an information assurance concept. Today, I’ve decided to add another security layer to the host since this is a public facing server. ![]() While there are several options in mitigating SSH brute force attack, I opted to use the Fail2Ban option at the time. In my old blog post, I talked about how to mitigate from persistent SSH brute force attack. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |