The "secure shell" SSH is a network protocol for establishing a secure connection between hosts, standardly on port 22 (which is better to change). SSH clients and SSH servers are available for most operating systems. Almost any other network protocol works inside SSH, that is, you can work remotely on another computer, transmit an audio stream or video over an encrypted channel, etc. Besides, you can connect to other hosts already on behalf of this remote host.
Authentication is by password, but developers and system administrators traditionally use SSH keys. The problem is that the secret key can be stolen. Adding a passphrase theoretically protects against the theft of the secret key, but in practice, when forwarding and caching keys, they . Two-factor authentication solves this problem.
How to Implement Two-Factor Authentication
Developers from Honeycomb recently published how to implement the appropriate infrastructure on the client and server.
The instruction assumes that you have some basic host open to the Internet (bastion). You want to connect to this host from laptops or computers over the Internet, and access all other devices that are behind it. 2FA ensures that an attacker cannot do the same, even if he gains access to your laptop, for example, by installing malware.
The first option is OTP
OTP - one-time digital passwords, which in this case will be used for SSH authentication along with the key. The developers write that this is not ideal, because an attacker can raise a fake bastion, intercept your OTP and use it. But it's better than nothing.
In this case, the following lines are written to the Chef config on the server side:
metadata.rbattributes/default.rb(ofattributes.rb)files/sshdrecipes/default.rb(copy fromrecipe.rb)templates/default/users.oath.erb
Any OTP application is installed on the client side: Google Authenticator, Authy, Duo, Lastpass, brew install oath-toolkit or apt install oathtool openssl, then a random base16 string (key) is generated. It is converted to the Base32 format used by mobile authenticators and imported directly into the application.
As a result, you can connect to the bastion and make sure that now it requires not only a passphrase, but also an OTP code for authentication:
β ssh -A bastion
Enter passphrase for key '[snip]':
One-time password (OATH) for '[user]':
Welcome to Ubuntu 18.04.1 LTS...The second option is hardware authentication
In this case, the user is not required to enter the OTP code every time, since the second factor is the hardware device or biometrics.
Here the Chef configuration is a little more complicated, and the configuration of clients depends on the OS. But after completing all the steps, clients on MacOS can confirm authentication in SSH using a passphrase and applying a finger to the sensor (second factor).
iOS and Android owners confirm sign in . This is a special technology from Krypt.co that is even more secure than OTP.
On Linux/ChromeOS, there is an option to work with YubiKey USB tokens. Of course, an attacker can steal your token, but he still does not know the passphrase.
Source: habr.com