2

I'm currently trying to enforce regular users on a Linux SSH server to use 2FA (password + TOTP) while allowing power users to only use SSH keys for authentication. SSH keys are sufficiently secure for my purposes, but many of the users will initially be unable to cope with the use of SSH keys. For them, it should be ok to use a password, but in combination with a TOTP like google-authenticator.

I found good tutorials for setting up 2FA like https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04 and similar questions like Use Public Key or Password and PAM verification code but no answer with regard to how to configure sshd to allow public key as single factor and (password + TOTP) as 2FA at the same time. Any hints are welcome. Thank you.

1 Answers1

0

Using password authentication in combination with TOTP should not be used because both are sent in plain text (see RFC-4252) to the server and can be intercepted by a man in the middle SSH server. This setup only increases security, if the password gets compromised/stolen.

Most TOTP tokens are valid for 30 seconds, which is a really long time, if a man in the middle attacker has intercepted the token. The password and the token can be used to login to other ssh servers, if you are using the same setup and users.

When using only ssh keys to login to the server, you must provide a way to deploy the public key. Instead of generating a TOTP token for the user, you can save the users public key. For example github allows to add a public key in their web interface.

The most important security feature is the ssh fingerprint!

Your users MUST verify the fingerprint. If the fingerprint is not verified, the user does not know if the remote server is a man in the middle server or not.

If you want to increase security, you should provide the SSH servers fingerprints over a trusted source:

  • SSH fingerprint an a website secured with HTTPS and a valid certificate (e.g. LetsEncrypt)
  • SSHFTP DNS records secured with DNSSEC
Manfred Kaiser
  • 1,306
  • 2
  • 5
  • 20