Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Implement 2FA for SSH servers #85

New Issue
Closed
opened 2023-03-11 13:56:09 -08:00 by Jafner · 18 comments
Jafner commented 2023-03-11 13:56:09 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages

Should be trivial to implement via the libpam-google-authenticator package. This will require another device be setup to access servers over SSH. This strongly mitigates risk of lateral movement inside the environment if an SSH key is compromised.

  • server
  • nas (already has 2fa for webui)
  • backup nas (already has 2fa for webui)
  • wyse
  • pi
  • router
  • jafner.chat
https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages Should be trivial to implement via the `libpam-google-authenticator` package. This will require another device be setup to access servers over SSH. This strongly mitigates risk of lateral movement inside the environment if an SSH key is compromised. - [x] server - [ ] nas (already has 2fa for webui) - [ ] backup nas (already has 2fa for webui) - [x] wyse - [x] pi - [ ] router - [x] jafner.chat
Jafner commented 2023-03-11 17:50:09 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-03-11 18:09:39 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

changed the description

changed the description
Jafner commented 2023-03-11 18:51:43 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

Starting with the Pi to ensure least possible impact of lockout due to botched configuration.

  1. We run: sudo apt install libpam-google-authenticator to install the google authenticator PAM (pluggable authentication module) library for SSH.

  2. Then configure the google authenticator module with google-authenticator and when prompted use the following configuration:

  • Do you want authentication tokens to be time-based? y
  • Do you want me to update your "/home/$USER/.google_authenticator" file? y
  • Do you want to disallow multiple uses of the same authentication token? y
  • Do you want to do so? n (refers to increasing time skew window)
  • Do you want to enable rate-limiting? y
    We enter our TOTP secret key into our second authentication method and save our one-time backup recovery codes.

  1. We edit our PAM SSHD config with sudo nano /etc/pam.d/sshd and add the line auth sufficient pam_google_authenticator.so nullok at the top of the file.

  2. Then edit the SSH daemon config via sudo nano /etc/ssh/sshd_config and ensure the following configuration assertions exist:

  • PubkeyAuthentication yes
  • AuthenticationMethods publickey,keyboard-interactive
  • PasswordAuthentication no
  • ChallengeResponseAuthentication yes
  • UsePAM yes

  1. Then restart the SSH daemon with sudo systemctl restart sshd.service.

  2. We open a new connection to our newly-protected host ssh -i ~/.ssh/main_id_rsa pi@pihole1. If everything worked properly, we should see a prompt for Verification code:.

Note: If using Tabby as the SSH client, you may need to switch from the "Key" authentication method to the "Auto" authentication method. Otherwise you will encounter an All configured authentication methods failed error.

Starting with the Pi to ensure least possible impact of lockout due to botched configuration. 1. We run: `sudo apt install libpam-google-authenticator` to install the google authenticator PAM (pluggable authentication module) library for SSH. 2. Then configure the google authenticator module with `google-authenticator` and when prompted use the following configuration: - Do you want authentication tokens to be time-based? `y` - Do you want me to update your "/home/$USER/.google_authenticator" file? `y` - Do you want to disallow multiple uses of the same authentication token? `y` - Do you want to do so? `n` (refers to increasing time skew window) - Do you want to enable rate-limiting? `y` We enter our TOTP secret key into our second authentication method and save our one-time backup recovery codes. 3. We edit our PAM SSHD config with `sudo nano /etc/pam.d/sshd` and add the line `auth sufficient pam_google_authenticator.so nullok` at the top of the file. 4. Then edit the SSH daemon config via `sudo nano /etc/ssh/sshd_config` and ensure the following configuration assertions exist: - `PubkeyAuthentication yes` - `AuthenticationMethods publickey,keyboard-interactive` - `PasswordAuthentication no` - `ChallengeResponseAuthentication yes` - `UsePAM yes` 5. Then restart the SSH daemon with `sudo systemctl restart sshd.service`. 6. We open a new connection to our newly-protected host `ssh -i ~/.ssh/main_id_rsa pi@pihole1`. If everything worked properly, we should see a prompt for `Verification code:`. Note: If using [`Tabby`](https://tabby.sh/) as the SSH client, you may need to switch from the "Key" authentication method to the "Auto" authentication method. Otherwise you will encounter an `All configured authentication methods failed` error.
Jafner commented 2023-03-11 18:54:45 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item pi as completed

marked the checklist item **pi** as completed
Jafner commented 2023-03-11 19:09:03 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item jafner.chat as completed

marked the checklist item **jafner.chat** as completed
Jafner commented 2023-03-11 19:55:35 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item server as completed

marked the checklist item **server** as completed
Jafner commented 2023-03-11 20:22:52 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item wyse as completed

marked the checklist item **wyse** as completed
Jafner commented 2023-03-11 20:38:10 -08:00 (Migrated from gitlab.jafner.net)
Copy Link

VyOS is going to be a slightly different process.

https://docs.vyos.io/en/latest/configuration/system/login.html

Looks like we're going to have to update our VyOS version. OTP functionality was implemented late 2022.

VyOS is going to be a slightly different process. https://docs.vyos.io/en/latest/configuration/system/login.html Looks like we're going to have to update our VyOS version. OTP functionality was implemented [late 2022](https://vyos.dev/T4751).
Jafner commented 2023-04-14 14:47:29 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

This has been done to the extent of current feasibility.

Will need to revisit when VyOS issue progresses and an opportunity for an extended service window presents itself.

This has been done to the extent of current feasibility. Will need to revisit when VyOS issue progresses and an opportunity for an extended service window presents itself.
Jafner commented 2023-04-16 16:09:18 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Consider looking at keycloak PAM:

https://www.reddit.com/r/selfhosted/comments/12omoyn/linux_system_authentication_with_keycloak_sso/

Consider looking at keycloak PAM: https://www.reddit.com/r/selfhosted/comments/12omoyn/linux_system_authentication_with_keycloak_sso/
Jafner commented 2023-08-04 11:29:27 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item nas (already has 2fa for webui) as completed

marked the checklist item **nas (already has 2fa for webui)** as completed
Jafner commented 2023-08-04 11:29:30 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item backup nas (already has 2fa for webui) as completed

marked the checklist item **backup nas (already has 2fa for webui)** as completed
Jafner commented 2023-08-04 11:29:34 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item nas (already has 2fa for webui) as incomplete

marked the checklist item **nas (already has 2fa for webui)** as incomplete
Jafner commented 2023-08-04 11:29:37 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

marked the checklist item backup nas (already has 2fa for webui) as incomplete

marked the checklist item **backup nas (already has 2fa for webui)** as incomplete
Jafner commented 2023-08-04 11:36:56 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Instructions for SSH 2FA in TrueNAS: https://www.truenas.com/community/threads/2fa-ssh-with-key-auth.104282/

Instructions for SSH 2FA in TrueNAS: https://www.truenas.com/community/threads/2fa-ssh-with-key-auth.104282/
Jafner commented 2023-10-05 12:01:51 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

mentioned in issue #92

mentioned in issue #92
Jafner commented 2023-10-16 21:54:49 -07:00 (Migrated from gitlab.jafner.net)
Copy Link

Implemented per the instructions.

2nd factor is not being requested when connecting via SSH.

Implemented per the instructions. 2nd factor is not being requested when connecting via SSH.
Jafner commented 2023-12-11 21:35:12 -08:00
Copy Link

Considering this done as far as can be for now.

Considering this done as far as can be for now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Jafner/homelab#85
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?