Two-Factor Authentication

The CSC currently uses DUO 2FA for off-campus SSH access to the general-use machines. This makes it easy to sign up new members remotely, who almost certainly already have the DUO app installed.

For members

If you are on campus, you may SSH into any general-use machine via:

• public key authentication
• password
• GSSAPI (Kerberos ticket)

If you are using a student CS machine as a jump host, or are using the campus VPN, this also counts as being on campus.

If you are off campus, you may SSH into any general-use machine via:

• public key authentication
• password and DUO

Note that you may not SSH remotely into a CSC machine using only your password. After you enter your password, you should see a prompt from DUO.

For syscom

We are using the pam_duo module to contact the DUO server.

Off-campus case

This is the relevant portion of /etc/ssh/sshd_config:

# For pam_duo
UsePAM yes

# DUO should be passed the IP address, not the hostname
UseDNS no

# public key authentication with authorized_keys
PubkeyAuthentication yes

# password authentication, *not* via PAM
PasswordAuthentication yes
PermitEmptyPasswords no
KerberosAuthentication yes

# for PAM conversations
ChallengeResponseAuthentication yes

# off-campus access
AuthenticationMethods publickey password,keyboard-interactive

The last line says that users may authenticate via publickey, or with a password and DUO (keyboard-interactive basically means "use PAM"). Note that sshd is not using PAM to verify the user's password; it is contacting the Kerberos server directly instead (we set KerberosAuthentication to 'yes'). Once it has verified the user's password, it runs the 'auth' sections in /etc/pam.d/sshd, which we have set to:

auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Note that we are not including the common-auth file (which is the default). This is because at this stage, the user's password has already been verified, so DUO is the last step.

For account, session and password, sshd will still consult PAM, meaning that the user will still be prompted to change their password if +needchange was set (which we want).

On-campus case

In /etc/ssh/sshd_config, we also have:

# On-campus
Match Address 129.97.0.0/16,2620:101:f000::/47
    AuthenticationMethods publickey password gssapi-with-mic

The IP prefixes are those for AS12093 (University of Waterloo). If someone is on-campus, then they may use just a password, or a Kerberos ticket (GSSAPI).

Helpful Links

• https://uwaterloo.ca/information-systems-technology/services/two-factor-authentication
• https://duo.com/docs/duounix
• https://manpages.debian.org/stable/openssh-server/sshd_config.5.en.html
• http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
• https://cern-cert.github.io/pam_2fa/