
Hardening SSH with 2FA - LanceTaylor
https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820
======
kylek
I've thought about doing something like this several times, but the
proposition of using any tools/libraries/pam modules/etc not installed by
default, custom pam/sshd configs, and generally anything "outside of the box"
sort of scares me.

I've used 2FA for SSH at $lastjobatmegacorp, however all that infrastructure
was supported by a team of people dedicated to such things. How finicky would
setting this up for myself be in practice? (Am I being paranoid for NOT
wanting to go the extra mile to ensure that I actually have access to my
systems when I need it the most?)

~~~
alias_neo
I wrote a blog post on this recently, using only open-source tools that don't
come from big corps. To have TOTP second factor on Debian (like) systems you
need only libpam-oath module on the server, and perhaps an open-source app
like FreeOTP (RedHat) on a smartphone.

I'm afraid to link it here because the traffic might kill my puny box.

~~~
jlgaddis
> _I 'm afraid to link it here because the traffic might kill my puny box._

So what if it does?

Presumably it isn't a "critical" host so the worst that could happen is, what,
no one can read what your blog posts for a little while? Eventually, the
traffic will go away and things will go back to normal, yeah?

I assume that (part of) the reason for writing your blog post was so that
others could read it. Yet, by not posting the link, you are ensuring that we
don't -- even though pretty much all of us in this comment thread are the
target audience.

Alternatively, as someone else mentioned, there are things like the Internet
Archive.

(FWIW, several years ago, a page on my blog was linked by The Atlantic one
morning and shortly thereafter it also hit the front page of (IIRC) both
Reddit and HN. The only way I figured out that "something was up" was due to
the huge number of "new follower" notifications I was getting from Twitter as
I was driving to work. At the time, I was running WordPress on a little VPS
with 1 CPU core and 768 MB of RAM and it handled the ~115,000 page views just
fine that day -- although I did have caching and such in place. YMMV.)

~~~
alias_neo
You make many valid points there.

Here's the link, let's see what happens:

Caveat lector: This is a "beginner" guide targeted at Raspberry Pi users,
ignore the Pi related parts.

I intend to publish a second part about using keys instead of passwords.

[https://2byt.es/post/totp/](https://2byt.es/post/totp/)

The blog content is open source on GitHub so feel free to raise issues if
necessary.

~~~
e12e
Nice walk-through. Re:bandwidth worries, for this crowd, you probably just
link to:
[https://github.com/2bytes/website/blob/master/content/post/t...](https://github.com/2bytes/website/blob/master/content/post/totp.md)

I doubt hn will take down github...

~~~
alias_neo
I had considered that, but as someone else else pointed out, what have I got
to lose if it's taken down?

At least with links to my blog I can use the access logs for an idea of which
articles people find interesting (I don't do other metrics/analytics due to my
philosophy).

At the moment I'm trying to build a new box to host this on but it seems Caddy
has broken source builds (again) and I need plugins for my Git hooks and Hugo
build.

Searching around for an alternative.

Edit: and thanks for the compliment.

~~~
mholt
Caddy's source builds are still working; just took a couple hours for me to
figure out and update the instructions.

------
xaduha
This is a crutch, backwards approach. Just use smart cards goddammit, that's
what they were made for!

[https://github.com/philipWendland/IsoApplet/wiki](https://github.com/philipWendland/IsoApplet/wiki)

~~~
jplayer01
Wait, really? They still make these? People still use them? How secure are
they really compared to USB tokens like a Yubikey? How do you interface with
one of these?

~~~
noinsight
> Wait, really? They still make these? People still use them?

Mandated by the US government so yes, lots of people use them.

[https://en.wikipedia.org/wiki/Common_Access_Card](https://en.wikipedia.org/wiki/Common_Access_Card)

~~~
chx
Yeah, and that's just the DoD, even the US Forest Service mandates the use of
a smartcard to log in to their VPN.

------
femto113
Development infrastructure like Jenkins has no business being on the internet,
so my preferred "second factor" is a VPN, secured with machine specific
certificates that offer only VPN connectivity, but not SSH or anything else.
This means even if a developer's Git or SSH key is floating around your
infrastructure no one without VPN access can get at it, and if a developer
loses a laptop there's a good chance you'll hear about that in time to revoke
that machine's VPN certificate before anyone has a chance to use it.

~~~
raghava
Exactly. This is what I employ as one of the safeguards as well. All important
resources accessible only to via a jumpbox, and jumbox itself is only
accessible in a VPN.

~~~
jpdb
My fear is that if the VPN connection is severed, you're locked out of your
environment.

I typically have a public bastion and just shut it down. In AWS you aren't
paying for it if it's turned off and you have an "escape hatch" if you need
it.

If someone manages to launch another instance or start the stopped one then
they would have access, but that's another can of worms.

~~~
femto113
With AWS, in an emergency you can always use the console to provision access
of some sort: SSH bastion with a public IP, second VPN, etc. This definitely
implies that explicit 2FA is needed for console access, but I’m pretty
comfortable with using smartphones for that.

------
idlewords
I have two dozen co-located servers to log into. So far I've resisted the idea
of setting up a bastion host, because that seems like a way to lock myself out
of SSH access if that machine dies. I'm also not sure of the rationale for
having a bastion host, other than "big companies do it". How do other non-
cloud people handle this access vs. security tradeoff?

I'm also curious what people's preferred fallback method is for preserving
access to machines if you lose access to your yubikey(s), assuming you keep
your private SSH key stored on one.

~~~
perlgeek
> I'm also not sure of the rationale for having a bastion host

It's a central place where you can do your logging, which many enterprises
must do for compliance reasons.

~~~
pm90
Really? Do any compliance standards specifically require this? Or is the
specific control defined in the organization itself that requires this?

I've found many compliance standards to be pretty open-ended and function-
driven, rather than prescribing specific standards. Client contracts.... they
may be a different beast, and often require specific promises by vendors.

~~~
perlgeek
I'm pretty sure that at least some of the German financial regulations require
that you can audit administrative actions on systems that are relevant for the
financial transactions.

Now, you could try to implement that on the systems themselves, but how do you
establish a mechanism that logs actions of an administrative user, and at the
same time cannot be disabled by the same administrative user?

So instead you use a shell control box as a bastion, and regular
administration of the target hosts don't have root access to the shell control
box, so they cannot circumvent logging.

I haven't yet any standards that explicitly demand bastions, but it seems to
be one of the standard implementations that have proven to pass audits, and so
it's a pretty low-risk implementation of the logging requirements.

------
druiid
If you're using a Vault system, it's also relatively easy and well documented
to use Vault for this process. There's two components, which is the OTP
configuration of Vault itself:

[https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-
pa...](https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-
passwords.html)

You also have to configure the servers to support Vault, using their PAM
integration:

[https://github.com/hashicorp/vault-ssh-
helper](https://github.com/hashicorp/vault-ssh-helper)

------
u801e
You can get 2FA over ssh by requiring both key based and password based
authentication. That is, you need both your private key and your account
password to log in (in addition to your private key passphrase).

------
therealmarv
There are scenarios where 2FA makes no sense for me. These are local password
managers and SSH keys.

Rethink this again: If your ssh key is compromised then you have a problem
overall. For my point of view there is no real security gain in 2FA ssh key
logins because your private key itself is already a secret! Only thing which
is important is to set a good passphrase for your ssh key.

However I can think of one exception of 2FA on top of ssh keys which might be
useful: 2FA for gaining root access or sudo commands. This might be okay but
the attack vector in this scenario would be that someone can see your
keystrokes or clipboard (then they most likely also have your ssh private key
if they can do that).

~~~
syntonym
As long as you have a passphrase and don't actually circumvent it (by e.g. an
agent) you basically already have 2FA (you need access to the key (on your
laptop/pc) and you need access to the passphrase (in your head)). But physical
2FA (like smartphone based ones or smartcard based ones) are nice because you
can remove them from your computer or destroy them. You can't "destroy" a
passphrase, so passphrase and sshkey are not really "independent".

------
swills
How does this compare to Teleport:

[https://github.com/gravitational/teleport](https://github.com/gravitational/teleport)

------
nerdbaggy
Once just for fun I setup HAProxy in TCP mode and depending on the host name
would direct the SSH to the correct host. But I had some nice ACLs so that if
they weren’t in the ACL they would be sent to a honeypot.

~~~
zamadatix
How did HAProxy know the host name?

~~~
xnyan
SNI
[https://en.wikipedia.org/wiki/Server_Name_Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)

~~~
rkeene2
SSH does not use TLS, and does not have the TLS extension SNI.

~~~
oarsinsync
It can be tunnelled over TLS using openssl

~~~
rkeene2
That is true (and relatively easy to do with OpenSSH's ProxyCommand) but that
was not the implication of the statement that HAProxy was being used in TCP
mode to direct incoming TCP sockets to the correct backend SSH server based on
the hostname using any SSH client that understands the SSH protocol.

------
donatj
How does this compare to just putting a passphrase on your ssh credentials?

~~~
icebraining
That helps against someone stealing your computer, but not if someone hacks it
and manages to get a trojan running - it'll just keylog your passphrase.

------
metafunctor
I hadn't come across sekey before. It's sort of like a built-in Yubikey on my
mac. I like the idea.

------
luminati
disclaimer: not a security expert of any kind. Also apologies in advance for
hijacking the thread.

I loosely remember reading on HN that wireguard could be a replacement for
ssh. Is that still the case? When do you think we'd be switching away from ssh
to wire guard?

~~~
Fnoord
SSH is a service to log in securely to get CLI access. WireGuard is an
efficient VPN with low attack surface. SSH can be used to run X programs, as
proxy, or VPN.

------
monocasa
Just going to throw out there that the company I work at (JumpCloud) is a
directory service that makes it super easy to setup 2FA with your SSH.
Literally a couple checkboxes, and you can mandate that your whole staff has
2FA setup.

------
notlukesky
I work at [https://saaspass.com/](https://saaspass.com/) which offers setting
up 2FA on SSH in a super easy way

------
fiatjaf
2FA works great until you lose your phone.

~~~
jakeogh
Or your telco gets social engineered.

~~~
yjftsjthsd-h
That works on SMS, but not totp

