Skip to main content

Local privilege 2FA with SSH Keys

Local Privileges Account 2FA

Local privileged accounts can have 2FA enabled, which uses an SSH key or password as the first factor and a DID as the second factor. It sends a login request to the wallet to which the endpoint user credential has been shared. Read more on how to assign endpoint user credentials to a wallet, which, when approved, authenticates the user into an endpoint. Read more on accepting login requests from wallet.

Local users can be configured to have a password or SSH keys as the first factor, coupled with a DID as the second factor.

Configuring Local Privileged Account for Logging via SSH Keys

Generating Keys for SSH Login

  1. Use the command:

    ssh-keygen

  2. To transfer keys, use the command below:

    cat ~/.ssh/id_rsa.pub | ssh username@ipaddress "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Configuring AuthNull PAM Authenticator for SSH Login

  1. Log in to any VM and check out the pam.so file and did.sh script from this GitHub link.

  2. Move the pam_authenticator.so file into the /usr/local/lib/security path (if the “security” folder is not available, create it), and also move did.sh to the root (/) path (provide the correct permissions if required).

  3. Add the lines below at the end of the /etc/pam.d/sshd file:

    auth required /usr/local/lib/security/pam_authenticator.so debug nullok
    auth required pam_permit.so
    # Comment @include common-auth - This will exclude /etc/pam.d/common-auth file

  4. For SSH Key authentication:

    Add the lines below at the end of the sshd_config file. Path: /etc/ssh/sshd_config

    AuthenticationMethods publickey,keyboard-interactive
    KbdInteractiveAuthentication yes

  5. Restart the SSH service:

    sudo systemctl restart sshd

  6. Now log in to the VM using SSH:

    ssh username@ipaddress

    a. Enter the passphrase for the private key (make sure the public key is placed inside the $HOME/.ssh/authorized_keys path).

    b. Passwordless 2nd factor authentication will be initiated. Check the logs from /var/log/auth.log (for Ubuntu-based systems) or /var/log/secure (for CentOS-based systems).

  7. The following are issues you may encounter while running the .so file from logs:

    a. PAM (header) not found

    • On CentOS and RHEL VMs, install the pam-devel package:

      sudo yum install pam-devel

    • On Debian/Ubuntu VMs, install libpam0g-dev:

      sudo apt-get install libpam0g-dev

    b. Autoconf not installed/found

    sudo apt-get install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev

    (For Debian/Ubuntu)

Note: To ignore any user group without using AuthNull's custom PAM authentication, configure the following in /etc/pam.d/sshd (this will exclude users in the group {group_name} from logging in with MFA PAM):

auth [success=done default=ignore] pam_succeed_if.so user ingroup group_name