Securing SSH with MFA(Google Auth) on Ubuntu

barcode

This short article will go over how I’m practicing defense in depth to secure my Linux SSH access for critical infrastructure. We will install Google-Auth on a Ubuntu Server-19 and store the Scratch Codes in our LastPass Vault.  LastPass is utilizing my YubiKey which FIDO2, FIDO U2F, one-time password (OTP), OpenPGP and smart card, choice of form factors for desktop or laptop as a form of MFA to authenticate to the cloud service.  For my AuthCodes I will also be using LastPass Authenticator, even though I am installing Google Auth on the Ubuntu instance.  Finally, for those who use SecureCRT, there is one configuration change to make to your saved sessions for ease of use and compatibility.

Last Pass has a free option available and you can find Google Authenticator on your device’s App Store/Play Store. Yubikey is a paid hardware device.

What is MFA?

Multi-factor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Source: TechTarget

What is Defense in Depth?

Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information.

Source: ForcePoint

Lets get started by SSH’ing into your Ubuntu machine. I am performing these steps on a Ubuntu Server 19. There are some additional steps in securing cloud instances, such as Digital Ocean headless droplets. I will not be covering such configuration.

Step 1:  Install G-Auth – The tools for MFA.

htinoco@pi-hole:~$ sudo apt install libpam-google-authenticator

Step 2: Setup MFA on local user account.

htinoco@pi-hole:~$ google-authenticator

At this point, carefully read through the prompts and select the options that make more sense to you. Open your Authenticator App of choice and scan the MFA QR Code that is on your screen.

Now, lets concentrate on properly storing the following information before finishing the configuration.

Your new secret key is: 2445XXXXJ5L6MQ575PXXXXXX
Your verification code is XX29XX
Your emergency scratch codes are:
8659XXXX
7X0672XX
5608XXXX
268233XX
1X890XXX

Store these scratch codes somewhere safe – Do not save these on the same local device, in case of lose or theft. I will save these to my LastPass Vault.

First, lets authenticate to LastPass using YubiKey. This is where the DiD comes in to play – Maybe I’m stretching the DiD definition here, but simply writing these codes down and throwing them in a drawer is not a good backup plan.

Insert the YubiKey to your local machine – Pictured is John Wick, ensuring no dogs are harmed during this blog.

20191012_153753250_iOS.jpg

Now lets authenticate to LastPass  – I have previously setup my YubiKey to work as an MFA device under my LastPass account settings. See documentation on LastPass website for a quick how-to.

lpmfa.PNG

Once fully authenticated, lets store the scratch keys somewhere safe. I personally created a ‘Home Network’ folder inside the ‘SSH KEYS” section labeled “SCRATCH CODES”, sorted by machine host name.

Make sure to put some thought into how want to organize your LastPass Vault.

Okay, lets get back to the nuts n bolts of the MFA configuration for SSH on the Ubuntu server.

Lets edit the SSHd config file and change the default “ChallengeResponseAuthentication” to Yes.

htinoco@pi-hole:~$ sudo nano /etc/ssh/sshd_config

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes      # Change this default from no to yes!

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

Next, simply restart the SSH service:

sudo systemctl restart ssh

Now lets edit the PAM file – The LinuxPAM (short for Pluggable Authentication Modules which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.

sudo vi /etc/pam.d/sshd

#At the very bottom of the file, add the following line:

auth required pam_google_authenticator.so

That’s it! You can test this feature by simply running ‘ssh localhost’ and you should see the following after authenticating with your password:

htinoco@pi-hole:~$ ssh localhost
Password:
Verification code:                                #<<<<< Very COOL!

Now, as I said, if you’re like me and have hundreds of sessions saved on your SecureCRT application – here is what you’ll need to do to ensure a smooth login with MFA:

 

ssh.PNG

  1. Right click on your saved session for the Ubuntu Server with MFA.
  2. Select Properties
  3. Category: SSH2
  4. Category: Authentication
    1. Select Keyboard Interactive
    2. Select OK.

This will allow for SecureCRT to handle the Verification Code prompt:

mfa2.PNG

There ya have it! you should be logged in now utilizing MFA.

If you ever lose your cell phone with the authenticator app, you can always retrieve the scratch codes from your LastPass Vault that’s encrypted on a cloud service – So it will always be available to you.. make sure you don’t lose your YubiKey the same night..

Always make sure to have a backup!

Thanks for reading,

Hugo Tinoco