MFA for SSH Servers

To provide a more secure computing environment, students and faculty are required to set up MFA for accessing Sloop and Clipper over SSH. This is intended to minimize the risk to the School of Engineering and the University as a whole. This setup requires the use of an app such as Google Authenticator, Microsoft Authenticator or Authy which provide a time-based 6 digit token as additional verification. While there are others, I will do a quick overview of these three after the configuration directions.

To get your MFA configured, you must be logged into one of the School of Engineering lab machines running Linux.

  1. Install your preferred app (detailed write-up in progress)
  2. Log into a School of Engineering lab machine running Linux
  3. Launch a terminal session and make it full screen (to simplify things for some apps)
  4. Type google-authenticator at the command line and answer yes to the first question about the use of time-based codes. This will display a QR code you can scan, depending on the app and only usable if your terminal window is large enough. Under the QR code you will find the secret key which can be manually typed into the app. You will also be prompted to enter the current code.
  5. Once you have added the account into your app, you will be presented with a code which you enter into the computer to verify the account. (This can be skipped by entering -1, but it is highly recommended that you perform the code verification.)
  6. You will be presented with 5 emergency one-time use codes which would allow you to verify your identity in the event you do not have your device. You will also be asked if you want to update your local file. You must answer yes or you will be unable to use Sloop/Clipper.
  7. The next question asks if you want to prevent the use of the same code multiple times. Answer yes to prevent others from hijacking the code entered to compromise your account.
  8. Answer no to the following question. This asks if you want to increase the time window of valid codes. This is designed to address the time drift of devices. As most devices now utilize some for of automatic time sync, the server is configured to only allow the current code. In the event you say yes, you will still be required to use the current active code.
  9. Answer yes to the final question. This restricts the number of attempt allowed to prevent brute force attacks. The three chances defined here are permitted for certain uses, such as approved sudo commands. However, to avoid students selecting the less secure option, only two attempts are permitted by the system when initiating an SSH session.

Recommended TOTP MFA Applications

While there are numerous apps which support time-based one time passwords (TOTP), below are a few which are available for both Android and IOS. All three programs allow you to add accounts by scanning a QR code.

Google Authenticator: Google’s MFA authentication app is available for Android, IOS, and Blackberry. It provides both TOTP and HOTP (HMAC-based one time password) options for user authentication. Available from the Google Play Store and the Apple Store. This app is straightforward and simple to use.

Microsoft Authenticator: Microsofts’s MFA authentication app is available for Android and IOS. It provides both TOTP and HOTP (HMAC-based one time password) options for user authentication. Available from the Google Play Store and the Apple Store. This app adds the additional security of requiring a password to access the configured accounts. It also provides an option for encrypted cloud-based backups.

Authy: A personal favorite MFA authentication tool which provides versions for Android, IOS, Windows, MacOS, and Linux. You can find download links and more information about this application on their website. It supports TouchID, PIN, and password options to protect your MFA tokens. It also supports encrypted cloud backups and multi-device synchronization.