Introduction
Two-factor authentication or two-step authentication is an important security measure that adds a second layer of protection to the password we use. Adding this extra layer of security makes it more difficult to breach user accounts. today, it is very common to find applications that use two-factor authentication.
There are several options for using 2FA:
- A physical security key: it works like a lock.
- Through an application: Commonly installed on a smartphone and then, when logging in, we will get a message on the device to verify our identity.
- Verification code: this option sends a one-time numeric code, by SMS for example, or by call, which must be entered to verify identity.
Requirements
In this tutorial, we will use DUO security. Which with its free version, we will be able to register up to 10 users.
- To access the DUO administration panel, it is necessary to register a free account at the following link: https://duo.com/editions-and-pricing/duo-free
- A Debian 11 server.
- Basic Linux knowledge.
Steps
Once the DUO account is created, we will be able to access to the dashboard and it will be shown as follows.
Inside the dashboard we go to "Applications" and select "Protect an Application", as follows.
We are going to search "UNIX" and after that, we select "Protect".
After selecting "Protect" we must save the details that are presented to us, the Integration key, Secret key and the API hostname.
After that, up to the bottom, we click on "Save".
We make sure that in "Applications" we have the application that we have just saved.
Adding DUO repos security packages
Inside our server, we add the following repository on our sourcelist editing the file /etc/apt/sources.list
deb https://pkg.duosecurity.com/Debian bullseye main
We add the key
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
And proceed to update the repositories and install the duo-unix package
apt-get update && apt-get install duo-unix
Once duo_unix packet is installed, we proceed to edit pam_duo.conf in /etc/duo to add the integration key, secret key, and API hostname from your Duo Unix application.
[duo]
; Duo integration key
ikey = <integration key>
; Duo secret key
skey = <secret key>
; Duo API hostname
host = <api hostname>
pushinfo=yes
Configuring PAM
We are going to use our OpenSSH to use DUO, for that, you are going to set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file at /etc/ssh/sshd_config. You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
Since we are using a Debian system, the pam_duo.so module should be found in /lib64/security
root@debian11-server:~# ls -lh /lib64/security | grep duo
-rwxr-xr-x 1 root root 921 Feb 2 16:12 pam_duo.la
-rwxr-xr-x 1 root root 437K Feb 2 16:12 pam_duo.so
root@debian11-server:~#
What is PAM?
The pluggable authentication module (PAM) in a nuthshell, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme.
https://www.linux.com/news/understanding-pam/
We proceed to configure the following file:
vim /etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so
After:
auth [success=2 default=ignore] pam_unix.so nullok
auth sufficient /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.
SSH Public Key Authentication
Now, we proceed to configure this file
vim /etc/pam.d/sshd
Before:
@include common-auth
After:
auth required pam_unix.so
auth sufficient /lib64/security/pam_duo.so
auth required pam_deny.so
Now, we restart SSH service and login again to the server.
ssh diego@<debian-server IP address>
(diego@<debian-server IP address>) Password:
Please enroll at https://api-ca19920d.duosecurity.com/portal?code=123456789&akey=abcdefghijklm
(diego@<debian-server IP address>) Password:
Enrolling with DUO link
We need to access to the enroll link and follow the steps presented on the browser.
We click "Start setup"
We select "Mobile phone" option
We proceed to add out phone number.
Select our phone brand.
At this point, we need to have installed the DUO app on our smartphone, DUO app is available for iPhone and Android.
Click continue on the above step and a QR code will be presented on the screen in where you need to open the DUO app to scan it, after that, the following screen will be presented and click on "Finish Enrollment".
After the above steps, the process is done. Now, we can proceed to login again to our server, and we will be presented with the following information.
ssh diego@<debian-server IP address>
(diego@<debian-server IP address>) Password:
(diego@<debian-server IP address>) Duo two-factor login for diego
Enter a passcode or select one of the following options:
1 Duo Push to +XX XX XXXX XX95
2 SMS passcodes to +XX XX XXXX XX95
Passcode or option (1–2):
We hit 1 to receive a push notification on our phone, and after we hit that option and accept it on our phone, we will be able to access to our device.
Passcode or option (1–2): 1
Success. Logging you in…
Success. Logging you in…
Linux debian11-server 5.10.0–11-amd64 #1 SMP Debian 5.10.92–1 (2022–01–18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 23 22:52:59 2022 from x.x.x.x
diego@debian11-server:~$
And this is the way how we can setup a 2FA using DUO to login into our server via SSH.
Top comments (0)