Raouf / Notes

Ubuntu with MFA auth

Posted on Jan 18, 2022
tl;dr: Ubuntu MFA auth

Objective

To allow a more robust security behavior of my Ubuntu servers, I’m enforcing some MFA or double authentication methods. Although already using an SSH key, this will allow more security. Might be used in a basic server or in a bastion host also, with definetly more mecanism to protect against threats.

Prerequisites

A working Ubuntu server or instance with SSH connectivity and internet access, that’s it.

Setup

Backup Files

Connected with my user, let’s have a backup of the modified files, wich will be /etc/ssh/sshd_config and /etc/pam.d/sshd

sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Install Required Packages

Now, let s install the Google Authenticatr OATH-TOTP package that will integrate with PAM (Pluggable Authentication Module).

sudo apt-get install libpam-google-authenticator

Configure

After that, just launch google-authenticator to configure it, basically just answer yes to any question.

With details, the first one asks if authentication tokens should be time-based.


This one will disable the code just after it's use

```Do you want to disallow multiple use of the same authentication token (y/n)``` 

Then 

```Do you want to disallow multiple use of the same authentication token (y/n)``` 

To finish, enable this to avoid brute force where an attacker can only attempt a certain number of guesses before being blocked. Which will provide another level of security.

```Do you want to enable rate-limiting (y/n)``` 



After these configuration steps of Google Authenticator, We will edit our `/etc/ssh/sshd_config` to enable TOTP key usage. 

``` html
UsePAM yes 
ChallengeResponseAuthentication yes 
AuthenticationMethods publickey,keyboard-interactive

And also we will edit our /etc/pam.d/sshd file and comment the line with

@include common-auth

This will allow a connection without prompting for a password, just the SSH key and the TOTP token.

Also, add the config element for Google Authenticator

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok

The nullok at the end of the line avoid to block users that doesn’t have the TOTP configured for them.

After that let’s restart our SSH service sudo systemctl restart sshd.service and we’re done, time for testing.

What’s next

Using Yubikey to enforce access maybe.