SecureShell/MFA: Difference between revisions

From UMIACS
Jump to navigation Jump to search
No edit summary
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Overview==
==Overview==
UMIACS will soon be rolling out multi-factor authentication requirements when using [[SSH]] to connect to our public-facing hosts to provide better account security. Public-facing hosts are hosts that are reachable without first establishing a connection to our [[VPN]]. '''If you first connect to our VPN, you will not need to additionally multi-factor authenticate when using SSH.''' This is because our VPN already requires multi-factor authentication to establish a connection, and all subsequent SSH attempts after connecting to our VPN will pass through the tunnel created (already within the UMIACS border).
UMIACS has rolled out multi-factor authentication requirements when using [[SSH]] to connect to our public-facing hosts to provide better account and data security. Public-facing hosts are hosts that are reachable via the Internet (e.g. via [https://en.wikipedia.org/wiki/Ping_(networking_utility) ping]) without first establishing a connection to our [[VPN]]. '''If you first connect to our VPN, you will not need to additionally multi-factor authenticate when using SSH.''' This is because our VPN already requires multi-factor authentication to establish a connection, and all subsequent SSH attempts after connecting to our VPN will pass through the tunnel created (already within the UMIACS border).


SSH has two different authentication methods that we currently support on all of our internal hosts: interactive password authentication and [[SSH/Keys | public key authentication]]. Multi-factor authentication-enabled SSH on our public-facing hosts only supports interactive password authentication, with the secondary factor coming from our [[Duo]] instance. We do not currently support public key based authentication and [[Duo]] multi-factor authentication on our public-facing hosts. Please note that unfortunately [https://en.wikipedia.org/wiki/Universal_2nd_Factor U2F] hardware tokens registered with Duo are not supported for SSH login specifically. Other hardware tokens such as a [https://www.yubico.com/products/yubikey-5-overview/ YubiKey] or [https://guide.duo.com/tokens Duo's own hardware token] will still work.
SSH has two different authentication methods that we currently support on all of our internal hosts: interactive password authentication and [[SSH/Keys | public key authentication]]. Multi-factor authentication-enabled SSH on our public-facing hosts only supports interactive password authentication, with the secondary factor coming from our [[Duo]] instance. We do not currently support public key based authentication and [[Duo]] multi-factor authentication on our public-facing hosts. Please note that unfortunately [https://en.wikipedia.org/wiki/Universal_2nd_Factor U2F] hardware tokens registered with Duo are not supported for SSH login specifically. Other hardware tokens such as a [https://www.yubico.com/products/yubikey-5-overview/ YubiKey] or [https://guide.duo.com/tokens Duo's own hardware token] will still work.


==Example==
==Example==
The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found [[SecureShell#Connecting_to_an_SSH_Server | here]]. In the below example, we are also SSH-ing to [[OpenLAB]] e.g. <code>ssh mbaney@openlab.umiacs.umd.edu</code>
The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found [[SecureShell#Connecting_to_an_SSH_Server | here]]. In the below example, we are also SSH-ing to a [[Nexus]] node e.g. <code>ssh username@nexusgroup00.umiacs.umd.edu</code>


Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt:
Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt:
Line 13: Line 13:
</pre>
</pre>


Enter your UMIACS password here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt. '''Please note: The options shown here will vary depending on what/how many devices you have registered with our Duo instance.''' In this example, we have a mobile phone that has the Duo app installed, a tablet (iPad) that has the Duo app installed, and a YubiKey all registered against our UMIACS Duo instance.
Enter your UMIACS password here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt. '''Please note: The options shown here will vary depending on what/how many devices you have registered with our Duo instance.''' In this example, we have a mobile phone that has the Duo app installed, a tablet (iPad) that has the Duo app installed, a Duo hardware token, and a YubiKey all registered against our UMIACS Duo instance.


<pre>
<pre>
Password:
Password:
Duo two-factor login for mbaney
Duo two-factor login for username


Enter a passcode or select one of the following options:
Enter a passcode or select one of the following options:
Line 62: Line 62:
New SMS passcodes sent.
New SMS passcodes sent.


Duo two-factor login for mbaney
Duo two-factor login for username


Enter a passcode or select one of the following options:
Enter a passcode or select one of the following options:


  1. Duo Push to XXX-XXX-1234
  1. Duo Push to XXX-XXX-1234
  2. Duo Push to IOS
  2. Duo Push to iPad (iOS)
  3. Phone call to XXX-XXX-1234
  3. Phone call to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234 (next code starts with: 1)
  4. SMS passcodes to XXX-XXX-1234 (next code starts with: 1)
Line 79: Line 79:
====Code shown in Duo app or hardware token====
====Code shown in Duo app or hardware token====
[[File:Duo_app_code.jpg]]
[[File:Duo_app_code.jpg]]
(if in the Duo app)
(if in the Duo app)


Line 85: Line 86:


  1. Duo Push to XXX-XXX-1234
  1. Duo Push to XXX-XXX-1234
  2. Duo Push to IOS
  2. Duo Push to iPad (iOS)
  3. Phone call to XXX-XXX-1234
  3. Phone call to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234
Line 93: Line 94:


[[File:Duo_token.png]]
[[File:Duo_token.png]]
(if using a hardware token)
(if using a hardware token)


Line 99: Line 101:


  1. Duo Push to XXX-XXX-1234
  1. Duo Push to XXX-XXX-1234
  2. Duo Push to IOS
  2. Duo Push to iPad (iOS)
  3. Phone call to XXX-XXX-1234
  3. Phone call to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234
Line 113: Line 115:


  1. Duo Push to XXX-XXX-1234
  1. Duo Push to XXX-XXX-1234
  2. Duo Push to IOS
  2. Duo Push to iPad (iOS)
  3. Phone call to XXX-XXX-1234
  3. Phone call to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234
  4. SMS passcodes to XXX-XXX-1234
Line 125: Line 127:
Success. Logging you in...
Success. Logging you in...
Last login: Wed Feb 17 12:00:00 2021 from ...
Last login: Wed Feb 17 12:00:00 2021 from ...
[mbaney@opensub02 ~]$
[username@nexusgroup00 ~]$
</pre>
</pre>


Subsequent SSH attempts from the window you have already connected via will not require multi-factor authentication, even if the host you are trying to SSH to is another public-facing host. This is because at this point the point of origin for the network traffic behind the connection attempt is coming from within the UMIACS border, rather than the rest of the Internet.
Subsequent SSH attempts from the window you have already connected via will not require multi-factor authentication, even if the host you are trying to SSH to is another public-facing host. This is because at this point the point of origin for the network traffic behind the connection attempt is coming from within the UMIACS border, rather than the rest of the Internet.
<pre>
<pre>
[mbaney@opensub02 ~]$ ssh cbcbsub00.umiacs.umd.edu
[username@nexusgroup00 ~]$ ssh nexusgroup01.umiacs.umd.edu
mbaney@cbcbsub00.umiacs.umd.edu's password:
username@nexusgroup01.umiacs.umd.edu's password:
Last login: Wed Feb 17 11:59:00 2021 from ...
Last login: Wed Feb 17 11:59:00 2021 from ...
[mbaney@cbcbsub00 ~]$
[username@nexusgroup01 ~]$
</pre>
</pre>


==Considerations==
==Considerations==
Since there will now be an additional step to log in to our public-facing hosts if not using our [[VPN]], we would recommend first establishing a connection over our VPN if you anticipate needing to SSH to several different hosts or need to open several different terminal windows concurrently. As mentioned previously, you will not need an additional multi-factor authentication step when using SSH if you first connect to our VPN since it is already secured by multi-factor authentication.
Since there is now an additional step to log in to our public-facing hosts if not using our [[VPN]], we would recommend first establishing a connection over our VPN if you anticipate needing to SSH to several different hosts or need to open several different terminal windows concurrently. As mentioned previously, you do not need an additional multi-factor authentication step when using SSH if you first connect to our VPN since it is already secured by multi-factor authentication.


An alternative would be to use a [https://en.wikipedia.org/wiki/Terminal_multiplexer terminal multiplexer] such as [[Screen]] (on [[RHEL7]]) or [[Tmux]] (on RHEL8+, also available in our [[Modules | module tree]] on RHEL7) to minimize the number of times you need to multi-factor authenticate. Terminal multiplexers allow you to start several different processes out of one terminal display, and also detach from and later reattach to each of the processes.
An alternative would be to use a [https://en.wikipedia.org/wiki/Terminal_multiplexer terminal multiplexer] such as [[Screen]] or [[Tmux]] to minimize the number of times you need to multi-factor authenticate. Terminal multiplexers allow you to start several different processes out of one terminal display, and also detach from and later reattach to each of the processes.

Latest revision as of 14:51, 8 January 2024

Overview

UMIACS has rolled out multi-factor authentication requirements when using SSH to connect to our public-facing hosts to provide better account and data security. Public-facing hosts are hosts that are reachable via the Internet (e.g. via ping) without first establishing a connection to our VPN. If you first connect to our VPN, you will not need to additionally multi-factor authenticate when using SSH. This is because our VPN already requires multi-factor authentication to establish a connection, and all subsequent SSH attempts after connecting to our VPN will pass through the tunnel created (already within the UMIACS border).

SSH has two different authentication methods that we currently support on all of our internal hosts: interactive password authentication and public key authentication. Multi-factor authentication-enabled SSH on our public-facing hosts only supports interactive password authentication, with the secondary factor coming from our Duo instance. We do not currently support public key based authentication and Duo multi-factor authentication on our public-facing hosts. Please note that unfortunately U2F hardware tokens registered with Duo are not supported for SSH login specifically. Other hardware tokens such as a YubiKey or Duo's own hardware token will still work.

Example

The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found here. In the below example, we are also SSH-ing to a Nexus node e.g. ssh username@nexusgroup00.umiacs.umd.edu

Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt:

Password:

Enter your UMIACS password here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt. Please note: The options shown here will vary depending on what/how many devices you have registered with our Duo instance. In this example, we have a mobile phone that has the Duo app installed, a tablet (iPad) that has the Duo app installed, a Duo hardware token, and a YubiKey all registered against our UMIACS Duo instance.

Password:
Duo two-factor login for username

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Duo Push to iPad (iOS)
 3. Phone call to XXX-XXX-1234
 4. SMS passcodes to XXX-XXX-1234

Passcode or option (1-4):

(if you have a registered phone, the last 4 digits shown will be replaced with the last 4 digits of the phone number you specifically have registered)

The numbered options here correspond to different methods that Duo can take to authenticate you, and are more or less identical to the options that would be presented to you via a GUI if you were attempting to sign into another of our multi-factor authentication secured services, such as our Directory application. You can also enter the passcode

Duo Push to ___

This will send a push notification to the Duo app on whichever device you chose for you to accept to proceed.

Passcode or option (1-4): 1

Pushed a login request to your device...

Phone call to XXX-XXX-XXXX

This will call your registered phone and ask you to press any key on your phone to proceed.

Passcode or option (1-4): 3

Calling your phone...
Dialing XXX-XXX-1234...

(After answering)

Answered. Press any key on your phone to log in.

SMS passcodes to XXX-XXX-XXXX

This will send a one time passcode to your registered phone via SMS and then redisplay the prompt. Type the passcode received at the new prompt (which will show the first number of the passcode sent as a hint) to proceed.

Passcode or option (1-4): 4

New SMS passcodes sent.

Duo two-factor login for username

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Duo Push to iPad (iOS)
 3. Phone call to XXX-XXX-1234
 4. SMS passcodes to XXX-XXX-1234 (next code starts with: 1)

Passcode or option (1-4): 1234567

Enter passcode or tap YubiKey

In addition, you can also enter the code shown in your Duo app for UMIACS, the code shown on a registered hardware token, or tap your YubiKey to emit a code:

Code shown in Duo app or hardware token

Duo app code.jpg

(if in the Duo app)

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Duo Push to iPad (iOS)
 3. Phone call to XXX-XXX-1234
 4. SMS passcodes to XXX-XXX-1234

Passcode or option (1-4): 672239

Duo token.png

(if using a hardware token)

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Duo Push to iPad (iOS)
 3. Phone call to XXX-XXX-1234
 4. SMS passcodes to XXX-XXX-1234

Passcode or option (1-4): 123456

YubiKey tap

Simply tap the sensor on your YubiKey plugged into the device you are using to SSH to have it emit a string of characters and automatically hit Enter.

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Duo Push to iPad (iOS)
 3. Phone call to XXX-XXX-1234
 4. SMS passcodes to XXX-XXX-1234

Passcode or option (1-4): kffuastenhldrhfhadafdarivuntddugrvjvllddjjuget

Wrapping up

After finishing your method of choice for using Duo to multi-factor authenticate, you will be logged in and can operate as normal.

Success. Logging you in...
Last login: Wed Feb 17 12:00:00 2021 from ...
[username@nexusgroup00 ~]$

Subsequent SSH attempts from the window you have already connected via will not require multi-factor authentication, even if the host you are trying to SSH to is another public-facing host. This is because at this point the point of origin for the network traffic behind the connection attempt is coming from within the UMIACS border, rather than the rest of the Internet.

[username@nexusgroup00 ~]$ ssh nexusgroup01.umiacs.umd.edu
username@nexusgroup01.umiacs.umd.edu's password:
Last login: Wed Feb 17 11:59:00 2021 from ...
[username@nexusgroup01 ~]$

Considerations

Since there is now an additional step to log in to our public-facing hosts if not using our VPN, we would recommend first establishing a connection over our VPN if you anticipate needing to SSH to several different hosts or need to open several different terminal windows concurrently. As mentioned previously, you do not need an additional multi-factor authentication step when using SSH if you first connect to our VPN since it is already secured by multi-factor authentication.

An alternative would be to use a terminal multiplexer such as Screen or Tmux to minimize the number of times you need to multi-factor authenticate. Terminal multiplexers allow you to start several different processes out of one terminal display, and also detach from and later reattach to each of the processes.