SecureShell/MFA: Difference between revisions

From UMIACS
Jump to navigation Jump to search
(Created page with "Interactive shell access to UMIACS is going to be restricted to users who pass our multi-factor authentication requirements. We have introduced this in our VPN and now will b...")
 
No edit summary
Line 1: Line 1:
Interactive shell access to UMIACS is going to be restricted to users who pass our multi-factor authentication requirements. We have introduced this in our VPN and now will be introducing this requirement in our external SSH connections.
==Overview==
UMIACS will soon be rolling out multi-factor authentication requirements when using [[SSH]] to connect to our public-facing hosts to provide better account security. Public-facing hosts are hosts that are reachable without first being connected to our [[VPN]], which already requires MFA to connect. More details on our VPN can be found [[Network/VPN | here]] (specific instructions per OS). '''If you first connect to our [[VPN]], you will not need to additionally multi-factor authenticate when using SSH.'''


SSH has two different authentication methods that we support currently, an interactive password authentication or a ssh public key authentication.  This will now require that connections external from UMIACS networks will need to pass our [[Duo]] multi-factor authentication in addition to an interactive password based authenticationCurrently we do not support public key based authentication and [[Duo]] multi-factor authentcation from external networks.
SSH has two different authentication methods that we support currently on all of our internal hosts, interactive password authentication or [[SSH/Keys | public key authentication]]Multi-factor authentication-enabled SSH on our public-facing hosts will only support interactive password authentication, with the secondary factor coming from our [[Duo]] instanceWe do not currently support public key based authentication and [[Duo]] multi-factor authentication on our public-facing hosts.


Users may use the [[VPN]] to attach to a UMIACS network or be physically in a location with UMIACS network access then use a ssh public key and will '''not''' be required to do an additional [[Duo]] multi-factor authentication.
==Example==
The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found [[SecureShell#Connecting_to_an_SSH_Server | here]].
 
Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt:
 
<pre>
Password:
</pre>
 
Enter your UMIACS password here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt:


<pre>
<pre>
$ ssh derektest@xanadu.umiacs.umd.edu
Password:
Password:
Duo two-factor login for derektest
Duo two-factor login for mbaney


Enter a passcode or select one of the following options:
Enter a passcode or select one of the following options:


  1. Duo Push to XXX-XXX-XXXX
  1. Duo Push to XXX-XXX-1234
  2. Phone call to XXX-XXX-XXXX
  2. Phone call to XXX-XXX-1234
  3. SMS passcodes to XXX-XXX-XXXX (next code starts with: 1)
  3. SMS passcodes to XXX-XXX-1234


Passcode or option (1-3):
Passcode or option (1-3):
</pre>
(the last 4 digits shown will be replaced with the last 4 digits of the phone number you have registered with our [[Duo]] instance)
The three numbered options here correspond to three different actions that Duo can take to authenticate you, and are identical to the options that would be presented to you via a GUI if you were attempting to sign into another of our multi-factor authentication secured services, such as our [https://intranet.umiacs.umd.edu/directory/auth/login Directory application]:
* Option 1 will send a push notification to the Duo app on your registered phone for you to accept to proceed.
<pre>
Passcode or option (1-3): 1
Pushed a login request to your device...
</pre>
* Option 2 will call your registered phone and ask you to press any key on your phone to proceed.
<pre>
Passcode or option (1-3): 2
Calling your phone...
Dialing XXX-XXX-1234...
</pre>
(After answering)
<pre>Answered. Press any key on your phone to log in.</pre>
* Option 3 will send a one time passcode to your registered phone via SMS and then redisplay the prompt. Type the passcode received at the new prompt (which will show the first number of the passcode sent) to proceed.
<pre>
Passcode or option (1-3): 3
New SMS passcodes sent.
Duo two-factor login for mbaney
Enter a passcode or select one of the following options:
1. Duo Push to XXX-XXX-1234
2. Phone call to XXX-XXX-1234
3. SMS passcodes to XXX-XXX-1234 (next code starts with: 1)
Passcode or option (1-3): 1234567
</pre>
</pre>

Revision as of 21:44, 17 February 2021

Overview

UMIACS will soon be rolling out multi-factor authentication requirements when using SSH to connect to our public-facing hosts to provide better account security. Public-facing hosts are hosts that are reachable without first being connected to our VPN, which already requires MFA to connect. More details on our VPN can be found here (specific instructions per OS). If you first connect to our VPN, you will not need to additionally multi-factor authenticate when using SSH.

SSH has two different authentication methods that we support currently on all of our internal hosts, interactive password authentication or public key authentication. Multi-factor authentication-enabled SSH on our public-facing hosts will only support interactive password authentication, with the secondary factor coming from our Duo instance. We do not currently support public key based authentication and Duo multi-factor authentication on our public-facing hosts.

Example

The initial command or session setup for connecting to a host with multi-factor authentication enabled over SSH is the same as one that does not have it enabled. Our example for connecting to a host over SSH can be found here.

Once you enter the command (if using a native terminal) or start the session (PuTTY or other terminal emulators), you will be presented with the following prompt:

Password:

Enter your UMIACS password here (the same as if you were using interactive password authentication to connect to an internal host). After correctly entering your password, you will be taken to the following prompt:

Password:
Duo two-factor login for mbaney

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Phone call to XXX-XXX-1234
 3. SMS passcodes to XXX-XXX-1234

Passcode or option (1-3):

(the last 4 digits shown will be replaced with the last 4 digits of the phone number you have registered with our Duo instance)

The three numbered options here correspond to three different actions that Duo can take to authenticate you, and are identical to the options that would be presented to you via a GUI if you were attempting to sign into another of our multi-factor authentication secured services, such as our Directory application:

  • Option 1 will send a push notification to the Duo app on your registered phone for you to accept to proceed.
Passcode or option (1-3): 1

Pushed a login request to your device...
  • Option 2 will call your registered phone and ask you to press any key on your phone to proceed.
Passcode or option (1-3): 2

Calling your phone...
Dialing XXX-XXX-1234...

(After answering)

Answered. Press any key on your phone to log in.
  • Option 3 will send a one time passcode to your registered phone via SMS and then redisplay the prompt. Type the passcode received at the new prompt (which will show the first number of the passcode sent) to proceed.
Passcode or option (1-3): 3

New SMS passcodes sent.

Duo two-factor login for mbaney

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Phone call to XXX-XXX-1234
 3. SMS passcodes to XXX-XXX-1234 (next code starts with: 1)

Passcode or option (1-3): 1234567