Improving instance security using two-factor authentication with Google Authentication (2FA)

In addition to protecting your Triton cloud account in the portal with two-factor authentication, you can also protect your instances with two-factor authentication when connecting to your instance through SSH. SmartOS instances and Linux instances support one-time passwords (OTP) using any app that supports the Google Authenticator protocol. Other options may be supported if they provide a Pluggable Authentication Module (PAM) that is compatible with libpam provided by operating environment you are running. This document describes how to add TOTP/HOTP to SmartOS using the Google Authenticator PAM module. For Linux refer to the documentation for your distro or the google-authenticator-libpam source.

What is two-factor authentication for SSH and how does it work on SmartOS?

SmartOS libpam allows adding additonal methods of verifcation when connecting using SSH. The default method of verifying identity for SSH is using a public and private key pair. This allows for passwordless authentication as SSH keys are much harder to guess than passwords and are less susceptible to brute force attacks. Private keys can be further protected with a passphrase so that if your private key is compromised or stolen, it cannot be used without knowing the passphrase. Two-factor authentication does not require the use of keys, you can use a normal password in addition to a one-time-password, however as stated earlier passwords are not as secure as using keys.

Google Authenticator Library for two-factor authentication

Using the Google Authenticator PAM library can add another layer of security to your instance. The following setup method will use the default key verification method as well as adding another factor using one-time-passwords (OTP) generated through applications that support Google Authentication OTP including Google Authenticator, Microsoft Authenticator, and 1Password. 1Password has the advantage of being available as a desktop app, a browser extension (Chrome, Firefox, Microsoft Edge, and Safari are all supported), and as a mobile app.

Installing Google Authenticator Library on SmartOS using pkgsrc and configuration for SSH/PAM

The Google Authenticator library and binary are available in pkgsrc on SmartOS. The command pkgin install google-authenticator-compat32 will install the Google Authenticator library, the Google Authenticator binary, and the qrencode library and binary to generate the QR code for the authentication application to use. After installation via pkgsrc, to configure ssh to use one-time-password authentication the following steps need to be taken:

• In /etc/pam.conf at the end of the file add the follwing lines:

  sshd-kbdint   auth required     /opt/local/lib/security/i386/pam_google_authenticator.so nullok echo_verification_code
  sshd-kbdint   auth required     pam_allow.so.1

• In /etc/ssh/sshd_config add the following lines to the end of the file:

  ChallengeResponseAuthentication yes
  AuthenticationMethods publickey,keyboard-interactive

• If you would like root to use TOTP, in /etc/ssh/sshd_config change the option PermitRootLogin without-password to PermitRootLogin Yes. After making changes to /etc/sshd you must run svcadm restart ssh for the change to take effect. Be sure to check svcs -xv to ensure there are no errors in the config and service started up properly.

Many other configurations are possible. Some examples include:

• To disallow logins for all users that do not have TOTP configuration, remove the pam_allow.so.1 line from /etc/pam.conf
• To allow either a public key OR password+totp, in /etc/ssh/sshd_config set PasswordAuthentication yes and AuthenticationMethods publickey,keyboard-interactive

User set up

Once 2FA is available on the system, each user needs to run a one-time set up to configure their account. It is highly recommended to use the nullok option until all users are configured to avoid getting locked out.

Each user must perform the following steps:

• Run the google-authenticator command. A QR code will be generated to be scanned by your chosen authentication application. After adding this instance to your authentication application, google-authenticator will prompt you to enter a code from the authentication application.

• After completing the user configuration, with the current connection still open to your instance, open a new terminal window or tab and connect to your instance to help prevent being locked out if there is any configuration issues. After your key is validated you should be prompted to enter a verification code from your chosen authentication app. Enter the verification code and you should be at a normal prompt. This is especially important if you care configuring the root user. An invalid configuration may prevent logging in, which will be extremely difficult to remedy without operator assistance.

The instance you have configured is now protected with two-factor authentication! If you prefer building from source, use the instructions below to protect your instance.

To assist with installation I have created a bash script that includes some sed commands that will set the PAM and SSH confugration discussed here. This script will check if the lines exist before appending them. The helper script can be found here: Helper Script Download