diff options
| author | Christian Cleberg <hello@cleberg.net> | 2024-04-29 14:18:55 -0500 |
|---|---|---|
| committer | Christian Cleberg <hello@cleberg.net> | 2024-04-29 14:18:55 -0500 |
| commit | fdd80eadcc2f147d0198d94b7b908764778184a2 (patch) | |
| tree | fbec9522ea9aa13e8105efc413d2498c3c5b4cd6 /content/blog/2022-03-26-ssh-mfa.md | |
| parent | d6c80fdc1dea9ff242a4d3c7d3939d2727a8da56 (diff) | |
| download | cleberg.net-fdd80eadcc2f147d0198d94b7b908764778184a2.tar.gz cleberg.net-fdd80eadcc2f147d0198d94b7b908764778184a2.tar.bz2 cleberg.net-fdd80eadcc2f147d0198d94b7b908764778184a2.zip | |
format line wrapping and fix escaped characters
Diffstat (limited to 'content/blog/2022-03-26-ssh-mfa.md')
| -rw-r--r-- | content/blog/2022-03-26-ssh-mfa.md | 83 |
1 files changed, 40 insertions, 43 deletions
diff --git a/content/blog/2022-03-26-ssh-mfa.md b/content/blog/2022-03-26-ssh-mfa.md index fd92446..8b444f4 100644 --- a/content/blog/2022-03-26-ssh-mfa.md +++ b/content/blog/2022-03-26-ssh-mfa.md @@ -1,35 +1,33 @@ +++ date = 2022-03-26 -title = "Enablt TOTP MFA for SSH" +title = "Enable TOTP MFA for SSH" description = "" draft = false +++ # Why Do I Need MFA for SSH? -If you are a sysadmin of a server anywhere (that includes at home!), you -may want an added layer of protection against intruders. This is not a -replacement for other security measures, such as: +If you are a sysadmin of a server anywhere (that includes at home!), you may +want an added layer of protection against intruders. This is not a replacement +for other security measures, such as: -- Disable root SSH -- Disable SSH password authentication -- Allow only certain users to login via SSH -- Allow SSH only from certain IPs +- Disable root SSH +- Disable SSH password authentication +- Allow only certain users to login via SSH +- Allow SSH only from certain IPs -However, MFA can be added as an additional security measure to ensure -that your server is protected. This is especially important if you need -to allow password authentication for SSH. +However, MFA can be added as an additional security measure to ensure that your +server is protected. This is especially important if you need to allow password +authentication for SSH. -For more guidance on server security measures, see my other post: -[Hardening a Public-Facing Home -Server](../hardening-a-public-facing-home-server/). +For more guidance on server security measures, see my other post: [Hardening a +Public-Facing Home Server](../hardening-a-public-facing-home-server/). # Install MFA PAM Module -PAM, which stands for Pluggable Authentication Module, is an -authentication infrastructure used on Linux systems to authenticate a -user. In order to use this technology, let\'s install the -`libpam-google-authenticator` package: +PAM, which stands for Pluggable Authentication Module, is an authentication +infrastructure used on Linux systems to authenticate a user. In order to use +this technology, let's install the `libpam-google-authenticator` package: ```sh sudo apt-get update @@ -43,16 +41,16 @@ sudo apt-get install libpam-google-authenticator ## Interactive Method -Once the package is installed, initialize it and following the -interactive prompts to generate your OTP or TOTP: +Once the package is installed, initialize it and following the interactive +prompts to generate your OTP or TOTP: ```sh google-authenticator ``` -If you are not sure how to answer, read the prompts carefully and think -about having to how each situation would affect your normal login -attempts. If you are still not sure, use my default responses below. +If you are not sure how to answer, read the prompts carefully and think about +having to how each situation would affect your normal login attempts. If you are +still not sure, use my default responses below. ``` txt OUTPUT @@ -60,9 +58,9 @@ OUTPUT Do you want authentication tokens to be time-based (y/n) y ``` -At this point, use an authenticator app somewhere one of your devices to -scan the QR code. Any future login attempts after our upcoming -configuration changes will require that TOTP. +At this point, use an authenticator app somewhere one of your devices to scan +the QR code. Any future login attempts after our upcoming configuration changes +will require that TOTP. ``` txt OUTPUT @@ -104,9 +102,9 @@ Do you want to enable rate-limiting? (y/n) y ## Non-Interactive Method -If you need to do this quickly, know your responses to the prompts, or -are setting this up for numerous users, the non-interactive method can -be much faster: +If you need to do this quickly, know your responses to the prompts, or are +setting this up for numerous users, the non-interactive method can be much +faster: ```sh google-authenticator -t -d -f -r 3 -R 30 -w 3 @@ -136,23 +134,23 @@ google-authenticator [<options>] -e, --emergency-codes=N Number of emergency codes to generate ``` -This fully configures the authenticator, saves it to a file, and then -outputs the secret key, QR code, and recovery codes. (If you add the -flag `-q`, then there won\'t be any output). If you use this -command in an automated fashion, make sure your script captures the -secret key and/or recovery codes and makes them available to the user. +This fully configures the authenticator, saves it to a file, and then outputs +the secret key, QR code, and recovery codes. (If you add the flag `-q`, then +there won't be any output). If you use this command in an automated fashion, +make sure your script captures the secret key and/or recovery codes and makes +them available to the user. # PAM Configuration Settings -Once you\'ve enabled the T/OTP and have it saved to an MFA app on your -phone or other device, open the PAM `sshd` file: +Once you've enabled the T/OTP and have it saved to an MFA app on your phone or +other device, open the PAM `sshd` file: ```sh sudo nano /etc/pam.d/sshd ``` -You need to do two things in this file. First, add the following lines -to the bottom of the file: +You need to do two things in this file. First, add the following lines to the +bottom of the file: ``` config auth required pam_google_authenticator.so nullok @@ -161,8 +159,8 @@ auth required pam_permit.so Second, comment-out the following line near the top of the file. -If you leave this line uncommented, every SSH login attempt will ask for -the following three authentication factors: +If you leave this line uncommented, every SSH login attempt will ask for the +following three authentication factors: 1. Publickey 2. Password @@ -180,9 +178,8 @@ Finally, edit the `sshd_config` file again: sudo nano /etc/ssh/sshd_config ``` -You\'ll need to change `ChallengeResponseAuthentication` to -yes and add the `AuthenticationMethods` line to the bottom of -the file. +You'll need to change `ChallengeResponseAuthentication` to yes and add the +`AuthenticationMethods` line to the bottom of the file. ``` config ChallengeResponseAuthentication yes |