0
1
I'd like to set up something akin to a 2 factor authentication for logging into a ssh server, provided by OpenSSH on Linux.
The client system will have the SSH key for logging in to the system, and if compromised, the private key can be misused.
The server side has another authentication mechanism which is provided by enterprise, the ordinary way would be for the client to authenticate itself using this mechanism first, and then log in separately to the SFTP server. The danger is that, with key based authentication, the client can bypass the authentication mechanism described above and log into the system directly.
So, I'd like to device a mechanism whereby the SSH connection may be refused, by the SSH server being made to call a script or a check in some way, to see if the first authentication mechanism has been performed. The first method provides such an interface which can be queried for logon status. However it is not a time token based authentication, which can be queried by having keyboard-interactive, and the client being made to type in tty or some terminal the number obtained. It provides a certificate push, and an application can query whether a certificate has been pushed. The certificate indeed acts like a token which is time-bound, but does not require any action from the user's side. An application, before executing its business logic, can query the status of this token, whether pushed from client or otherwise.
If such a mechanism does exist, can it further be segregated for users, i.e., for some users, this may not be required...
user1173240
Posted 2020-01-22T06:02:48.227
Reputation: 261
I beg your pardon, yes, it is
OpenSshserver, provided withinCentOs-8. For a particular user, perhaps I can useForceCommandto run such a check script? But I'm not sure if that is the right approach, or the implications of this. The script should check whether user has used the other auth. mechanism, and close the ssh session - for that user if not - or allow the sftp request as originally intended... – user1173240 – 2020-01-22T07:46:57.4071
ForceCommandis executed after authentication. + Using it in a way that allows both shell and SFTP might be complicated, but it is doable. See Seamless SFTP tunneling / jump box. – Martin Prikryl – 2020-01-22T07:50:51.743I have no issues with
sshauthentication succeeding, if, at least immediately after, a check can be made for another condition, which if failing, will allow the same connection to be closed. In my case, I don't have a jump server, so I am not immediately able to grasp the issue described in the link, I'm afraid. I see this comment - "But if you need both SFTP and SSH you will need to use Subsystem directive for SFTP, not ForceCommand:" – user1173240 – 2020-01-22T08:31:01.550The user is not expected to use
SSH, onlysftp, so might make it easier? i think I'll have to take it stepwise, if this is the right approach i.e., check Other auth in script for user -> close connection for user if not (no idea how to close connection from within script) -> continue sftp if indeed authenticated – user1173240 – 2020-01-22T08:32:07.9971I know you do not have a jump server. It's that the other question does jump at the same moment, where you want to do the authentication. + If user expects SFTP only, then it's eaiser – You can use both
ForceCommandandSubsystemdirectives. Though make sure you disable shell access not to allow the user to bypass your SFTP restrictions. – Martin Prikryl – 2020-01-22T09:01:43.883I'll try. Thanks for the suggestions. – user1173240 – 2020-01-22T10:02:54.463