Protecting sshd - Was: SSHguard & IPFW

Joseph Olatt joji at eskimo.com
Thu Oct 1 19:52:30 UTC 2015 

On Thu, Oct 01, 2015 at 03:11:35PM -0400, Christopher Hilton wrote:
> On Oct 1, 2015, at 3:08 PM, Christopher Hilton <chris at vindaloo.com> wrote:
> > 
> >> There are two ports which provide a pam module which is very handy for adding two factor authentication to ssh. security/oath-toolkit is the one I use but there is also security/pam_google_authenticator. With one of these you can add a line to /etc/pam.d/sshd and use an app on your phone which supports HOTP/TOTP, I personally use the Google Authenticator app. You generate a secret and scan it into the phone with a QR code and it shows a 6 digit number which changes every 30 seconds.
> >> 
> >> Then if you log in to ssh with a certificate it works like normal. If you log in to ssh with a password then it *also* asks for the latest code from your phone in addition to the password. Hugely more secure as even if somebody on the internet knows your password, it's highly unlikely they will also know the code currently displayed on your phone.
> > 
> > I would add that to my bag of tricks and consider it worlds more secure than sshd with only passwords. Is this the same Authenticator App that Google uses for two factor? I???m not sure where I would put it on the spectrum between Passwords Alone and Ssh-Keys Alone but it would be far enough along on the More Secure side that I would trust it.
> > 
> 
> Duh, you could just read the email rather than skimming it and make a smart assumption from the name "security/pam_google_authenticator". :-)



Many years ago, I grew concerned about network bandwidth usage and
system resource utilization due to brute force attacks. My servers were
getting pounded 24x7. So, I put together a simple Two-Factor
Authentication system.

The system was built for my FreeBSD servers and supports the following:
  
  (a) VPN (OpenVPN)
  (b) SSH
  (c) Web Single Sign-on (WSSO)
  
It works as follows:

  (1) User makes request for account. Manager/supervisor approves
      account. Has option to specify expiration date. User also chooses 
      password at this time (first factor; something the user knows).  

  (2) System will build a HTML file for user. In it is embedded a 
      GPG block that contains the login and expiration date. This is the
      second factor (something the user has)

  (3) When the user wants to VPN, SSH or WSSO, the user double-clicks 
      (or opens the HTML in browser) and enters his/her password. The
      GPG block and password are sent to web server via HTTPS. The 
      HTML file can be placed on devices the user uses (laptop, 
      desktop, phone, etc.) or on a USB thumb drive.

  (4) For SSH the system adds the user's IP to a PF table; For WSSO, a 
      secure cookie is created; For VPN, a one-time password is 
      displayed on the browser and IP is added to PF and a DB entry 
      created by a custom PAM module that OpenVPN talks to during 
      authentication.


I had open-sourced the entire code and put it on SourceForge.net. The
system was called Taferno (see: http://taferno.com). I have not pushed
updates to the code to SourceForge in a long time. If there is interest,
I will. I still use the system on my servers and hence updates have been
made. The system is written in C++ (to use the GPGME libraries at that
time) and some PERL. I don't have a FreeBSD port made yet.


There are probably more elegent solutions available today. (SSHGuard,
Google Authenticator, OTP Smart Phone apps, etc.)... When the Subject
of this thread changed to "Protecting sshd", I thought I'd share what 
I had done.

More information about the freebsd-questions mailing list