What is 2-FA?
2-factor authentication adds another security layer to our setup. Having more than one factor to authenticate your identity makes it difficult for a hacker/attacker to get into your system. When we say 2-factor authentication, it is about below 2 factors-
1. What you know
2. What you have
Again we can also have multiple factors adding to this like "who you are" can be answered by using biometric thumb impression to authenticate your identity.
We are using Google Authenticator and TOTP – time one-time password as authentication factor.
Our Use-case-
Pre-requisite-
Please make sure you server and client(android/iOS phone) follow same timestamp. GA works on an algorithm ( both client and server share same secret keys ) plus timestamp to generate verification code. This code generated by GA will be the same as generated on server at any point in time. Hence, client device does not require internet connectivity and verification code is not stored anywhere except client and server.
Step by Step implementation
a. Install Google Authenticator Dependencies on OCI instance–
# yum install
pam-devel
Loaded plugins:
langpacks, ulninfo
ol7_UEKR4
| 2.5 kB 00:00:00
ol7_latest
| 2.7 kB 00:00:00
Resolving Dependencies
--> Running
transaction check
---> Package
pam-devel.x86_64 0:1.1.8-23.el7 will be installed
--> Finished
Dependency Resolution
Dependencies Resolved
=====================================================================================================
Package Arch Version Repository Size
=====================================================================================================
Installing:
pam-devel x86_64 1.1.8-23.el7 ol7_latest 184 k
Transaction Summary
=====================================================================================================
Install 1 Package
Total download size:
184 k
Installed size: 528 k
Is this ok [y/d/N]: y
Downloading packages:
pam-devel-1.1.8-23.el7.x86_64.rpm | 184 kB 00:00:05
Running transaction
check
Running transaction
test
Transaction test
succeeded
Running transaction
Warning: RPMDB altered
outside of yum.
Installing :
pam-devel-1.1.8-23.el7.x86_64 1/1
Verifying
: pam-devel-1.1.8-23.el7.x86_64
1/1
Installed:
pam-devel.x86_64 0:1.1.8-23.el7
Complete!
# rpm -qa pam-devel
pam-devel-1.1.8-23.el7.x86_64
b. Install Google Authenticator rpm on dmz host –
Download rpm –
Install as root –
rpm -ivh
google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm
Verify-
rpm -qa | grep
google-authent
google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64
c. Configure Google Authenticator rpm on dmz host
-
Connect to the root account on dmz
(the account which we would like to secure)
-
Execute the command
google-authenticator
-
Enter y [yes] when asked to update
your “~/.google_authenticator” file
-
Enter y [yes] when asked to disallow
multiple uses of the same authentication token
-
Enter y [yes] when asked to confirm
that tokens are good for 30 seconds and in order to compensate for possible
time-skew between the client and the server
- Enter y [yes] when asked to limit attackers to no more than 3 login attempts every 30s
d. Install app on Smartphone IOS/Android
e.
Scan QR Code/Manual Entry
f.
Modify ssh config files for google authenticator
1.
/etc/ssh/sshd_config
ChallengeResponseAuthentication
no
(change it to)
ChallengeResponseAuthentication yes
2.
Add one line in ssh_config to make ssh aware
that cloud server will be accepting keyboard interactive /etc/ssh/sshd_config
AuthenticationMethods
publickey,password publickey,keyboard-interactive
3.
Update file header section /etc/pam.d/sshd
and add –
auth
required pam_google_authenticator.so
g.
Restart ssh service and Test verification code
systemctl
status sshd.service -l
systemctl
restart sshd
systemctl
status sshd.service -l
Test verification code
No comments:
Post a Comment