Authy and configure Two-Factor Authentication For SSH is not a new subject to many of us. But, some concepts must have vanished from our minds without a proper update. Don't worry, if you think you want to rewind and get yourselves updated, and then I am there to help you.
I will first refresh the basics before we move towards the major part.
Linux two factor authentication makes your VPS or server more secure. It not only requires a password or SSH key but also a time-sensitive symbol generated in your phone. If your password is exposed, or if you by mistake reveal your private key, your server will stay secure. Authy provides a simple platform for setting two factor authentication options. It is user-friendly not only with popular apps like Google and Dropbox, but also with your own VPS. It is simple to set up. Though it is a commercial service, around 1000 logins per month can be used for free and personal uses.
Hope by now you has got a small hint on the basics ... Now we will further move on to the major part of the install.
Setup Authy on your phone
First step is to download the Authy app for your device. Open the app and follow the steps, verify your phone number. Your phone now has a secure symbol.
Set up a developer account
Now you need to register again as a developer, so you can link your VPS to your phone's Authy app.
- Start the signup page.
- Enter your email address, state, mobile number and password.
- Use the same mobile number as you entered before.
- You will receive an email from Authy.
- Click the link in the email and you will ask to log in.
- Your phone will have configure as the sign for accessing your account .
- Open the "Authy" app and now you will have the password for log in.
Create an API Application
Once you are into your dashboard now click "Create new application". Enter a name for your local server and click "Create".
How To Install Authy And Configure Two-Factor Authentication :
Type the following command in the terminal:
Then enable two-factor for your user:
Test everything is working:
Restart your SSH server (look below if you are not on Ubuntu).
Restarting your ssh server
RedHat and Fedora Core Linux
Installing without root privileges
Type the following command in the terminal:
Now protect your user:
Enable two-factor auth on a user.
After the installation enables the two-factor for the users you want to protect.
To enable users type the following command and fill the form:
If you want to do it in one line just type:
How it works
Authy-ssh uses the sshd_config directive ForceCommand to run itself before every login. Here's how your sshd_config will look after installing:
Whenever it runs authy-ssh will read it's configuration from /usr/local/bin/authy-ssh.conf Here's an example:
In this case it means user root and daniel have two-factor enabled and that 1 is their authy_id. If a user is not in this list,authy-ssh will automatically let him in.
Using two-factor auth with automated deployment tools
If you use capybara, chef, puppet, cfengine, git you can create new users for these tools. This will help them enter the machine without requiring two-factor. Alternatively, you can connect the users using the ForceCommand directive.
A good example is create a two-factor users group.
usermod -a -G two-factor root
Now that my root user is in the two-factor group, I edit my /etc/ssh/sshd_config
[[email protected] ~]# cat /etc/ssh/sshd_config | grep ForceCommand -A 1 -B 1
match Group two-factor
ForceCommand /usr/local/bin/authy-ssh login
$ /sbin/service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Now force command will only function on users that fit in to the two-factor group.
scp, sftp, mosh and git push with two-factor authentication
The non-interactive commands like scp, sftp, mosh and git clone|fetch|push are used. To enable them you have to allow to pass the environment variable AUTHY_TOKEN from the client. Edit your sshd_config (normally located at /etc or /etc/ssh/)add AUTHY_TOKEN to the AcceptEnv directive.
Configure the client. Send that variable to the server, to do so first open ~/.ssh/config and then add the following:
Host * SendEnv AUTHY_TOKEN
And finally pass the token before the command:
AUTHY_TOKEN="valid-token" git push origin master AUTHY_TOKEN="valid-token" scp server:path/to/file local-file AUTHY_TOKEN="valid-token" mosh server
Multiple users sharing the same unix account
You can have multiple user's sharing a single login. This can be done by using two-factor authentication without sharing the same token. This means that every user can have their own Authy Token, verifying non-repudiation. To achieve this, delete or comment out the ForceCommand directive from your sshd_config:
$ sudo sed -ie 's/^(ForceCommand.*authy-ssh.*)/#1/g' /etc/ ssh/sshd_config
and then for each person add their ssh key using the following command:
$ sudo authy-ssh protect
you should end up with an authorized_keys file that looks like:
command="/usr/local/bin/authy-ssh login 13386" ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAunBSy1b4VTg6K9bkpn98dI6q2XLhi6f7IOalEzQ2h6JGLCQZcXTcIZaK9UbJ JYq+wxdGhpdWsuSpwCTF3E2V5eyu8f35QUI0VXmhmAhBW0M13pDU9DPl2nlQYg2dMCV++9Dx9bha3WIkpWwmVZALgv0/ fuLCY06uIbztArmuWHfZApkaysGEFuwikkx3uzYueNuUnoGHH+45XeQQ4BGCdOeFHIxJ/5wbpqyVpfIzg2Qb0siAlL1WmAi 2D0WAzJPKNoKMi6zpJd+KbEOrZTdmKhOZB5THBqaZbXEqGM5logy4FTdNV/oW9ARba1t3H7K1HgRc0S4kPcVj8s+BIiPrw4i 2HAtfvVvMgvh+OdV782O4V/+Z0/SF6mXXKn/uhXViemCWGJpGs/KJ5N+6pN3tgk/+TKOup0OeSDVaWEDXvjbl+5gYLMjJR f7iZojLMerie7EWDwW1QIJVIYngNWQ/+kdqMDxY13DGPDhxNZG2qmDP8V/6FmpDwXpcAOIuM1FCJHSs/tmx3hqOvxbU5S v4o2or6ABunoUGEy9HSXTBSFyYVLaTVX1R+EdEjDNQCtR9qbKOGSEXchl8IHxj3BlNf2dRbChon2GaJOSkQDykP8835jq fHzBk+8v+yaTeRoikoK0PKv6V32fLmX/d6qaO6IU6xeC5SbqaN2qBr1EoKUE= command="/usr/local/bin/authy-ssh login 20" ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAunBSy1b4V Tg6K9bkpn98dI6q2XLhi6f7IOalEzQ2h6JGLCQZcXTcIZaK9UbJJYq+wxdGhpdWsuSpwCTF3E2V5eyu8f35QUI0VXmh mAhBW0M13pDU9DPl2nlQYg2dMCV++9Dx9bha3WIkpWwmVZALgv0/fuLCY06uIbztArmuWHfZApkaysGEFuw ikkx3uzYueNuUnoGHH+45XeQQ4BGCdOeFHIxJ/5wbpqyVpfIzg2Qb0siAlL1WmAi2D0WAzJPKNoKMi6zpJ d+KbEOrZTdmKhOZB5THBqaZbXEqGM5logy4FTdN=
The previous command will ask you the user ssh public key, cellphone and email.
Uninstall Two Factor SSH Authentication on Authy
To uninstall type:
$ sudo authy-ssh uninstall $ restart your SSH server
Running Unit Tests
$ cd tests
$ rake test
These commands will run the unit test for auth.
Hope all you guys have refreshed your knowledge and learned “Authy and configure the Two-Factor Authentication for SSH”. If you still feel I have to add more points to it, don’t worry we will keep you posted with more info. Stay connected to our page and update your knowledge with more topics.