Skip to main content

Implementing 2-factor authentication for Bastion server on OCI with Google Authenticator

 


What is 2-FA?


2-factor authentication adds another security layer to our setup. Having more than one factor to authenticate your identity makes it difficult for a hacker/attacker to get into your system. When we say 2-factor authentication, it is about below 2 factors-

1. What you know

2. What you have

Again we can also have multiple factors adding to this like "who you are" can be answered by using biometric thumb impression to authenticate your identity.

We are using Google Authenticator and TOTP – time one-time password as authentication factor.


Our Use-case-

We already have bastion server setup ready with below configuration -
1. Canonical Ubuntu 16.04
2. VM.Standard.E3.Flex
3. 1 core OCPU, 16 GB memory, 1 Gbps network bandwidth
4. Instance is having a dedicated Public IP assigned.
5. As it is bastion host, it is created under public subnet with Internet gateway.

Pre-requisite-

Please make sure you server and client(android/iOS phone) follow same timestamp. GA works on an algorithm ( both client and server share same secret keys ) plus timestamp to generate verification code. This code generated by GA will be the same as generated on server at any point in time. Hence, client device does not require internet connectivity and verification code is not stored anywhere except client and server.


Step by Step implementation

a.     Install Google Authenticator Dependencies on OCI instance–

# yum install pam-devel

Loaded plugins: langpacks, ulninfo

ol7_UEKR4                                                                     | 2.5 kB  00:00:00

ol7_latest                                                                    | 2.7 kB  00:00:00

Resolving Dependencies

--> Running transaction check

---> Package pam-devel.x86_64 0:1.1.8-23.el7 will be installed

--> Finished Dependency Resolution

 

Dependencies Resolved

 

=====================================================================================================

 Package                Arch                Version                    Repository               Size

=====================================================================================================

Installing:

 pam-devel              x86_64              1.1.8-23.el7               ol7_latest              184 k

 

Transaction Summary

=====================================================================================================

Install  1 Package

 

Total download size: 184 k

Installed size: 528 k

Is this ok [y/d/N]: y

Downloading packages:

pam-devel-1.1.8-23.el7.x86_64.rpm                                             | 184 kB  00:00:05

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Warning: RPMDB altered outside of yum.

  Installing : pam-devel-1.1.8-23.el7.x86_64                                                     1/1

  Verifying  : pam-devel-1.1.8-23.el7.x86_64                                                     1/1

Installed:

  pam-devel.x86_64 0:1.1.8-23.el7

Complete!

 

 

# rpm -qa pam-devel

pam-devel-1.1.8-23.el7.x86_64

 

b.    Install Google Authenticator rpm on dmz host –

 

Download rpm –

# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/g/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm

Install as root –

rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm

Verify-

rpm -qa | grep google-authent

google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64

c.     Configure Google Authenticator rpm on dmz host

-       Connect to the root account on dmz (the account which we would like to secure)

-       Execute the command google-authenticator

-       Enter y [yes] when asked to update your “~/.google_authenticator” file

-       Enter y [yes] when asked to disallow multiple uses of the same authentication token

-       Enter y [yes] when asked to confirm that tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server

-       Enter y [yes] when asked to limit attackers to no more than 3 login attempts every 30s




d.    Install app on Smartphone IOS/Android


e.     Scan QR Code/Manual Entry

f.      Modify ssh config files for google authenticator

1.       /etc/ssh/sshd_config

ChallengeResponseAuthentication no
(change it to)
ChallengeResponseAuthentication yes

2.       Add one line in ssh_config to make ssh aware that cloud server will be accepting keyboard interactive /etc/ssh/sshd_config

AuthenticationMethods publickey,password publickey,keyboard-interactive

3.     Update file header section /etc/pam.d/sshd and add –

auth required pam_google_authenticator.so

 

g.    Restart ssh service and Test verification code

systemctl status sshd.service -l

systemctl restart sshd

systemctl status sshd.service -l

 

Test verification code

      


Comments

Post a Comment

Popular posts from this blog

Logfile locations in EBS r12.1 and EBS r12.2

Startup/shutdown Apps tier services are started and stopped frequently and we must know logfiles when troubleshooting startup/shutdown issues. $INST_TOP/logs/appl/admin/log $INST_TOP/logs/appl/admin/log Apache OHS being part of opmn in r12.1 has continued in r12.2. Logfile locations for troubleshooting have been changed $INST_TOP/logs/ora/10.1.3/Apache/error_log[timestamp] $INST_TOP/logs/ora/10.1.3/opmn/HTTP_Server~1.log $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OHS/*/*log*   OPMN Logfile locations for r12.1 and r12.2 have been changed $INST_TOP/logs/ora/10.1.3/opmn/opmn* $IAS_ORACLE_HOME/instances/*/diagnostics/logs/OPMN/opmn/* Oacore oacore in r12.1 is oc4j component and part of 10gAS. However, in r12.2, oacore is now a managed server for weblogic server $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/j2ee/oacore/oacore*/ $LOG_HOME/ora/10.1.3/opmn/oacore*/oacor...
1 comment
Read more

Query to Check AD and TXK code levels in your EBS environment

Below query can be very handy in finding out current AD and TXK code levels. col ABBREVIATION for a10 set lines 1000 col NAME for a50 col CODELEVEL for a20 SELECT ABBREVIATION,NAME,codelevel FROM AD_TRACKABLE_ENTITIES WHERE abbreviation in ('txk','ad'); ABBREVIATI NAME                                                CODELEVEL ---------- -------------------------------------------------- ------------ ad           Oracle Applications DBA                             C.11 txk         Oracle Applications Technology Stack    ...
1 comment
Read more

Compile all JSP files in Oracle ebs r12.2

Before you start compiling jsps and following below steps, I recommend understanding some key differences between 11i, r12.1 and r12.2 when it comes to compiling jsps. Please follow below link and then proceed further - One-stop shop to Compile JSPs in 11i, r12.1 and r12.2 1. Take a backup of _pages directory that will be modified due to jsp compilation - $ cd $EBS_APPS_DEPLOYMENT_DIR/oacore/html/WEB-INF/classes/ $ cp -R _pages _pages29dec2019 $ ls -ld _pages* drwxr-xr-x 5 applmgr oinstall 249856 Dec 29 16:36 _pages drwxr-xr-x 5 applmgr oinstall 249856 Dec 29 16:56 _pages29dec2019 2. Stop apache, oacore and oafm services - adapcctl.sh stop admanagedsrvctl.sh stop oacore_server1 admanagedsrvctl.sh stop oafm_server1 3. Compile the jsps manually using the below command - $ cd $FND_TOP/patch/115/bin/ $ perl $FND_TOP/patch/115/bin/ojspCompile.pl --compile --flush -p              4. Check class file last mo...
Post a Comment
Read more