SecureShell/MFA: Difference between revisions
Created page with "Interactive shell access to UMIACS is going to be restricted to users who pass our multi-factor authentication requirements. We have introduced this in our VPN and now will b..." |
No edit summary |
||
| (38 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
==Overview== | |||
UMIACS has rolled out multi-factor authentication requirements when using [[SSH]] to connect to our publicly-routable hosts to provide better account and data security. Publicly-routable hosts in the context of UMIACS are hosts that have an IP address in one of the following [https://en.wikipedia.org/wiki/Subnet subnets]: | |||
* 128.8.118.0/23 | |||
* 128.8.120.0/23 | |||
* 128.8.122.0/24 | |||
* 128.8.124.0/24 | |||
* 128.8.141.0/24 | |||
* 129.2.30.0/26 | |||
SSH has two different authentication methods that we support | SSH has two different authentication methods that we currently support on all of our internal hosts: interactive password authentication and [[SSH/Keys | public key authentication]]. Multi-factor authentication-enabled SSH on our public-facing hosts only supports interactive password authentication, with the secondary factor coming from [https://it.umd.edu/multi-factor-authentication-mfa UMD's Duo instance]. We do not support public key based authentication and Duo multi-factor authentication on our public-facing hosts. Please note that unfortunately [https://en.wikipedia.org/wiki/Universal_2nd_Factor U2F] hardware tokens registered with Duo are not supported for SSH login specifically. Other hardware tokens such as a [https://www.yubico.com/products/yubikey-5-overview/ YubiKey] or [https://guide.duo.com/tokens Duo's own hardware token] will still work. | ||
==Example== | |||
The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found [[SecureShell#Connecting_to_an_SSH_Server | here]]. In the below example, we are also SSH-ing to a [[Nexus]] node e.g. <code>ssh username@nexusgroup.umiacs.umd.edu</code> | |||
Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt: | |||
<pre> | <pre> | ||
Password: | Password: | ||
Duo two-factor login for | </pre> | ||
Enter your UMD passphrase here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt. '''Please note: The options shown here will vary depending on what/how many devices you have registered with UMD's Duo instance.''' In this example, we just have a single mobile phone with an active phone number and the Duo Mobile app installed. | |||
<pre> | |||
Password: | |||
Duo two-factor login for username | |||
Enter a passcode or select one of the following options: | Enter a passcode or select one of the following options: | ||
1. Duo Push to XXX-XXX- | 1. Duo Push to XXX-XXX-1234 | ||
2. Phone call to XXX-XXX- | 2. Phone call to XXX-XXX-1234 | ||
Passcode or option (1- | Passcode or option (1-2): | ||
</pre> | </pre> | ||
(if you have a registered phone, the last 4 digits shown will be replaced with the last 4 digits of the phone number you specifically have registered) | |||
The numbered options here correspond to different methods that Duo can take to authenticate you, and are more or less identical to the options that would be presented to you via a GUI if you were attempting to sign into UMD's Duo elsewhere. | |||
===Duo Push to ___=== | |||
This will send a push notification to the Duo app on whichever device you chose for you to accept to proceed. | |||
<pre> | |||
Passcode or option (1-2): 1 | |||
Pushed a login request to your device... | |||
</pre> | |||
===Phone call to XXX-XXX-XXXX=== | |||
This will call your registered phone and ask you to press any key on your phone to proceed. | |||
<pre> | |||
Passcode or option (1-2): 2 | |||
Calling your phone... | |||
Dialing XXX-XXX-1234... | |||
</pre> | |||
(After answering) | |||
<pre>Answered. Press any key on your phone to log in.</pre> | |||
===Tap YubiKey=== | |||
In addition, you can also simply tap the sensor on your YubiKey plugged into the device you are using to SSH to have it emit a string of characters and automatically hit Enter. | |||
<pre> | |||
Enter a passcode or select one of the following options: | |||
1. Duo Push to XXX-XXX-1234 | |||
2. Phone call to XXX-XXX-1234 | |||
Passcode or option (1-2): kffuastenhldrhfhadafdarivuntddugrvjvllddjjuget | |||
</pre> | |||
==Wrapping up== | |||
After finishing your method of choice for using Duo to multi-factor authenticate, you will be logged in and can operate as normal. | |||
<pre> | |||
Success. Logging you in... | |||
Last login: Wed Feb 17 12:00:00 2021 from ... | |||
[username@nexusgroup00 ~]$ | |||
</pre> | |||
Subsequent SSH attempts from the window you have already connected to will not require multi-factor authentication, even if the host you are trying to SSH to is another public-facing host. This is because the point of origin for the network traffic behind the connection attempt is now coming from within UMIACS' network border, rather than the rest of the internet. | |||
<pre> | |||
[username@nexusgroup00 ~]$ ssh nexusgroup01.umiacs.umd.edu | |||
username@nexusgroup01.umiacs.umd.edu's password: | |||
Last login: Wed Feb 17 11:59:00 2021 from ... | |||
[username@nexusgroup01 ~]$ | |||
</pre> | |||
==Considerations== | |||
Since there is now an additional step to log in to our public-facing hosts, we would recommend using a [https://en.wikipedia.org/wiki/Terminal_multiplexer terminal multiplexer] such as [[Screen]] or [[Tmux]] to minimize the number of times you need to multi-factor authenticate. Terminal multiplexers allow you to start several different processes out of one terminal display, and also detach from and later reattach to each of the processes. | |||
Latest revision as of 20:38, 11 September 2025
Overview
UMIACS has rolled out multi-factor authentication requirements when using SSH to connect to our publicly-routable hosts to provide better account and data security. Publicly-routable hosts in the context of UMIACS are hosts that have an IP address in one of the following subnets:
- 128.8.118.0/23
- 128.8.120.0/23
- 128.8.122.0/24
- 128.8.124.0/24
- 128.8.141.0/24
- 129.2.30.0/26
SSH has two different authentication methods that we currently support on all of our internal hosts: interactive password authentication and public key authentication. Multi-factor authentication-enabled SSH on our public-facing hosts only supports interactive password authentication, with the secondary factor coming from UMD's Duo instance. We do not support public key based authentication and Duo multi-factor authentication on our public-facing hosts. Please note that unfortunately U2F hardware tokens registered with Duo are not supported for SSH login specifically. Other hardware tokens such as a YubiKey or Duo's own hardware token will still work.
Example
The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found here. In the below example, we are also SSH-ing to a Nexus node e.g. ssh username@nexusgroup.umiacs.umd.edu
Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt:
Password:
Enter your UMD passphrase here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt. Please note: The options shown here will vary depending on what/how many devices you have registered with UMD's Duo instance. In this example, we just have a single mobile phone with an active phone number and the Duo Mobile app installed.
Password: Duo two-factor login for username Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-1234 2. Phone call to XXX-XXX-1234 Passcode or option (1-2):
(if you have a registered phone, the last 4 digits shown will be replaced with the last 4 digits of the phone number you specifically have registered)
The numbered options here correspond to different methods that Duo can take to authenticate you, and are more or less identical to the options that would be presented to you via a GUI if you were attempting to sign into UMD's Duo elsewhere.
Duo Push to ___
This will send a push notification to the Duo app on whichever device you chose for you to accept to proceed.
Passcode or option (1-2): 1 Pushed a login request to your device...
Phone call to XXX-XXX-XXXX
This will call your registered phone and ask you to press any key on your phone to proceed.
Passcode or option (1-2): 2 Calling your phone... Dialing XXX-XXX-1234...
(After answering)
Answered. Press any key on your phone to log in.
Tap YubiKey
In addition, you can also simply tap the sensor on your YubiKey plugged into the device you are using to SSH to have it emit a string of characters and automatically hit Enter.
Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-1234 2. Phone call to XXX-XXX-1234 Passcode or option (1-2): kffuastenhldrhfhadafdarivuntddugrvjvllddjjuget
Wrapping up
After finishing your method of choice for using Duo to multi-factor authenticate, you will be logged in and can operate as normal.
Success. Logging you in... Last login: Wed Feb 17 12:00:00 2021 from ... [username@nexusgroup00 ~]$
Subsequent SSH attempts from the window you have already connected to will not require multi-factor authentication, even if the host you are trying to SSH to is another public-facing host. This is because the point of origin for the network traffic behind the connection attempt is now coming from within UMIACS' network border, rather than the rest of the internet.
[username@nexusgroup00 ~]$ ssh nexusgroup01.umiacs.umd.edu username@nexusgroup01.umiacs.umd.edu's password: Last login: Wed Feb 17 11:59:00 2021 from ... [username@nexusgroup01 ~]$
Considerations
Since there is now an additional step to log in to our public-facing hosts, we would recommend using a terminal multiplexer such as Screen or Tmux to minimize the number of times you need to multi-factor authenticate. Terminal multiplexers allow you to start several different processes out of one terminal display, and also detach from and later reattach to each of the processes.