Image of Cortney & Jeremy

Free Two-Factor Auth for your Servers and VPNs

by Jeremy L. Gaddis on June 23, 2011 · 6 comments

in Security

Last week, I wrote about bitcoin and its reliance on exchanges such as Mt. Gox. A few days later, Mt. Gox had a few more “issues” including their entire user database being leaked to the Internet.

In various online discussions afterwards, the use of two-factor authentication came up repeatedly. I wondered if there was a cheap, reliable way to handle two-factor authentication for my own systems.

Fortunately, there is.

As some of you surely know, I prefer to use anything besides Windows whenever possible. I have a few servers at home which run Linux, my primary machine is a MacBook Pro, and this web server now runs Debian GNU/Linux (I recently converted it from FreeBSD).

I access the server remotely using SSH, of course, mostly from home. I have a static IP address, which makes it easy to firewall off SSH so that attacks against it are impossible. There are times, though, that I sometimes need to be able to SSH in from other places: from friend’s homes, when I’m out-of-town visiting family, or travelling, for example. In those cases, I usually just open up SSH from everywhere and run it on a non-standard port.

From my home machines and my laptop, I use SSH public key authentication. This works wonderfully, except if I’m somewhere else and don’t have my laptop with me. In those cases, I have to use someone else’s computer (an “untrusted” device) and possibly give up my password to any malware it may contain.

While looking into my options for two-factor authentication, I discovered Duo Security.

Duo Security’s two-factor authentication uses your mobile phone as the “something you have” piece. They advertise a “15-minute configuration for most SSL VPNs (Juniper, Cisco, SonicWALL), Unix systems, and web applications”. Even better for us: it’s completely free for up to 10 users!

I don’t use an SSL VPN at home anymore, but I decided to experiment with Duo Unix. Duo Unix provides two-factor authentication for SSH and PAM logins.

I first set up Duo Unix on one of my Debian boxes at home. Getting set up with an account on their site and creating my first “integration” took just a few moments. They don’t (appear to) provide pre-compiled binaries but it just took a moment to build the software from source and get it installed. Adding the integration key, secret key, and API hostname took maybe 30 seconds.

On this particular machine, I usually log in via the console and not SSH, so I configured PAM to use two-factor authentication and tested it. I first had it send passcodes to my mobile phone (currently an HTC Incredible loaded up with Cyanogenmod) via SMS:

Once I knew everything worked, I “un-configured” this system. I don’t need two-factor authentication on a server at home.

I ran through pretty much the same steps on my web server, except that I configured SSH to use two-factor authentication. The only time I log in via the console (via VNC-over-SSH to a console server) is if “something bad happened” or I don’t have network connectivity, which would probably make the two-factor authentication fail.

Configuring SSH took only a few seconds and consisted of adding one line to the /etc/ssh/sshd_config file and restarting the SSH server.

Now, when I SSH into the webserver, I first get prompted for my password if I’m not using a public key. Either way, once the password or public key authentication succeeds, I’m given a choice:

I can use the Duo Mobile application on my phone to authorize an authentication request, have the system call me on my mobile phone, or use one of the passcodes that was previously sent to me via SMS.

In the example above, you can see that I simply entered in the next passcode from the list I was given. The software then verifies the passcode and logs me in.

I haven’t tried using the application with any SSL VPNs (I don’t use those at home anymore), but I have no doubt that it will work just as easily. With Duo Web, you can also configure your own web applications (they even have a WordPress plugin!) to use two-factor authentication. Pretty much everyone reading this article should be able to find a use.

For those of you looking for two-factor authentication for your remote servers or VPNs, I’d encourage you to look into Duo. As mentioned, it’s free for up to 10 users. Even if you were to exceed that, pricing is pretty acceptable.

{ 6 comments… read them below or add one }

Leave a Comment

Previous post:

Next post: