Two-Factor Authentication: Difference between revisions
(Add syscom instructions) |
m (→PAM config) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 16: | Line 16: | ||
We are using the [https://duo.com/docs/duounix pam_duo] module to contact the DUO server. |
We are using the [https://duo.com/docs/duounix pam_duo] module to contact the DUO server. |
||
=== |
=== sshd config === |
||
This is the relevant portion of /etc/ssh/sshd_config: |
This is the relevant portion of /etc/ssh/sshd_config: |
||
<pre> |
<pre> |
||
Line 28: | Line 28: | ||
PubkeyAuthentication yes |
PubkeyAuthentication yes |
||
# Everyone *must* go through PAM for authentication ('keyboard-interactive'), |
|||
⚫ | |||
# unless they use GSSAPI or pubkey. |
|||
⚫ | |||
# Despite PasswordAuthentication being set to 'no', users may still use a |
|||
⚫ | |||
# See /etc/pam.d/sshd. |
|||
⚫ | |||
PermitEmptyPasswords no |
PermitEmptyPasswords no |
||
KerberosAuthentication |
KerberosAuthentication no |
||
⚫ | |||
⚫ | |||
# Disable root login by default (off-campus) |
|||
# for PAM conversations |
|||
PermitRootLogin no |
|||
⚫ | |||
# |
# On-campus |
||
# If you update the IP addresses here, make sure to also update /etc/security/pam_on_campus.conf |
|||
⚫ | |||
⚫ | |||
PermitRootLogin yes |
|||
</pre> |
</pre> |
||
The last line says that users may authenticate via publickey, <b>or</b> with a password and DUO (keyboard-interactive basically means "use PAM"). |
|||
=== PAM config === |
|||
Note that sshd is <b>not</b> using PAM to verify the user's password; it is contacting the Kerberos server directly instead (we set KerberosAuthentication to 'yes'). Once it has verified the user's |
|||
Here are is our relevant section from /etc/pam.d/sshd: |
|||
<pre> |
<pre> |
||
# Early kill switch. |
|||
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/pam_on_campus.conf |
|||
auth requisite pam_succeed_if.so user != root |
|||
# Standard Un*x authentication. |
|||
@include common-auth |
|||
# Skip DUO if the user is on campus. |
|||
auth [success=2 default=ignore] pam_access.so accessfile=/etc/security/pam_on_campus.conf |
|||
auth [success=1 default=ignore] pam_duo.so |
auth [success=1 default=ignore] pam_duo.so |
||
auth requisite pam_deny.so |
auth requisite pam_deny.so |
||
auth required pam_permit.so |
auth required pam_permit.so |
||
</pre> |
</pre> |
||
The "early kill switch" will reject a user immediately, without even asking them for their password, if they try to login as root from off-campus. So we technically don't need the Match block in sshd_config; however, I recommend keeping it anyways, since it provides an extra layer of security (read: peace of mind). |
|||
Note that we are <b>not</b> including the common-auth file (which is the default). This is because at this stage, the user's password has already been verified, so DUO is the last step. |
|||
Once we know that the user is either on-campus, or non-root and off-campus, we run through common-auth. The user must successfully pass either pam_unix or pam_krb5/pam_sss. |
|||
For account, session and password, sshd will still consult PAM, meaning that the user will still be prompted to change their password if +needchange was set (which we want). |
|||
Finally, we check DUO iff the user is off-campus. Note that DUO will by default accept users which do not exist in ADFS, which means that local users (i.e. in /etc/passwd) can theoretically still login from off-campus with only a password. We don't want this; therefore, it is important that the <b>only</b> local user with a password should be root, since we already catch that case. |
|||
=== On-campus case === |
|||
In /etc/ssh/sshd_config, we also have: |
|||
Here is our /etc/security/pam_on_campus.conf. See [https://linux.die.net/man/8/pam_access pam_access] for details. |
|||
<pre> |
<pre> |
||
# This file should be used with pam_access in /etc/pam.d/sshd. |
|||
# On-campus |
|||
# It grants access iff a user's IP address (rhost) is on-campus. |
|||
⚫ | |||
AuthenticationMethods publickey password gssapi-with-mic |
|||
+:ALL:129.97.0.0/16 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 2620:101:f000::/47 fd74:6b6a:8eca::/47 |
|||
-:ALL:ALL |
|||
</pre> |
</pre> |
||
The IP prefixes are those for AS12093 (University of Waterloo). If someone is on-campus, then they may use just a password, or a Kerberos ticket (GSSAPI). |
|||
== Helpful Links == |
|||
* https://uwaterloo.ca/information-systems-technology/services/two-factor-authentication |
|||
* https://duo.com/docs/duounix |
|||
* https://manpages.debian.org/stable/openssh-server/sshd_config.5.en.html |
|||
* http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html |
|||
* https://man7.org/linux/man-pages/man8/pam_succeed_if.8.html |
|||
* https://linux.die.net/man/8/pam_access |
|||
* https://cern-cert.github.io/pam_2fa/ |
Latest revision as of 01:10, 9 October 2021
The CSC currently uses DUO 2FA for off-campus SSH access to the general-use machines. This makes it easy to sign up new members remotely, who almost certainly already have the DUO app installed.
For members
If you are on campus, you may SSH into any general-use machine via:
- public key authentication
- password
- GSSAPI (Kerberos ticket)
If you are using a student CS machine as a jump host, or are using the campus VPN, this also counts as being on campus.
If you are off campus, you may SSH into any general-use machine via:
- public key authentication
- password and DUO
Note that you may not SSH remotely into a CSC machine using only your password. After you enter your password, you should see a prompt from DUO.
For syscom
We are using the pam_duo module to contact the DUO server.
sshd config
This is the relevant portion of /etc/ssh/sshd_config:
# For pam_duo UsePAM yes # DUO should be passed the IP address, not the hostname UseDNS no # public key authentication with authorized_keys PubkeyAuthentication yes # Everyone *must* go through PAM for authentication ('keyboard-interactive'), # unless they use GSSAPI or pubkey. # Despite PasswordAuthentication being set to 'no', users may still use a # password to login via PAM. # See /etc/pam.d/sshd. PasswordAuthentication no PermitEmptyPasswords no KerberosAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publickey gssapi-with-mic keyboard-interactive # Disable root login by default (off-campus) PermitRootLogin no # On-campus # If you update the IP addresses here, make sure to also update /etc/security/pam_on_campus.conf Match Address 129.97.0.0/16,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,2620:101:f000::/47,fd74:6b6a:8eca::/47 PermitRootLogin yes
PAM config
Here are is our relevant section from /etc/pam.d/sshd:
# Early kill switch. auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/pam_on_campus.conf auth requisite pam_succeed_if.so user != root # Standard Un*x authentication. @include common-auth # Skip DUO if the user is on campus. auth [success=2 default=ignore] pam_access.so accessfile=/etc/security/pam_on_campus.conf auth [success=1 default=ignore] pam_duo.so auth requisite pam_deny.so auth required pam_permit.so
The "early kill switch" will reject a user immediately, without even asking them for their password, if they try to login as root from off-campus. So we technically don't need the Match block in sshd_config; however, I recommend keeping it anyways, since it provides an extra layer of security (read: peace of mind).
Once we know that the user is either on-campus, or non-root and off-campus, we run through common-auth. The user must successfully pass either pam_unix or pam_krb5/pam_sss.
Finally, we check DUO iff the user is off-campus. Note that DUO will by default accept users which do not exist in ADFS, which means that local users (i.e. in /etc/passwd) can theoretically still login from off-campus with only a password. We don't want this; therefore, it is important that the only local user with a password should be root, since we already catch that case.
Here is our /etc/security/pam_on_campus.conf. See pam_access for details.
# This file should be used with pam_access in /etc/pam.d/sshd. # It grants access iff a user's IP address (rhost) is on-campus. +:ALL:129.97.0.0/16 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 2620:101:f000::/47 fd74:6b6a:8eca::/47 -:ALL:ALL
Helpful Links
- https://uwaterloo.ca/information-systems-technology/services/two-factor-authentication
- https://duo.com/docs/duounix
- https://manpages.debian.org/stable/openssh-server/sshd_config.5.en.html
- http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
- https://man7.org/linux/man-pages/man8/pam_succeed_if.8.html
- https://linux.die.net/man/8/pam_access
- https://cern-cert.github.io/pam_2fa/