2FA for SSH (VPS). Passwordless. Any Unix / LINUX servers. Takes Minutes.

Passwords are a pain & big risk on SSH logins. No more !!
RSA keys need to be added for every user & new client-device. And let not get started on ‘sudo’ permissions fiascos.

With SecureID SSH-2FA not only you get two factor authentication, and SSO, but also instant user-mgmt (yes create SSH users, and delete them). And super easy. You will see !!
And oh-yeah – its actually Multi-factor authentication aka MFA

So have you ever wished for – “add / remove SSH users on-the-fly”, and maybe “activate an SSH user for only for 60 minutes access”? We know you are already thinking “Systems support scenarios” 🙂

And you get full audit trail on access. Plus setup rules based access-control – on contexts like location, IP and many other factors, even last few transactions – “stop access to the user, if ‘hosts’ file changed & email /sms to all “admins”.

Install our SecureID SSH-2FA (two factor authentication) module, and seconds later enjoy super-security and ease of 2FA authentication for everyone. And yes no passwords but biometric. Backward support for RSA keys of-course.

 

Features:

  • Enable 2FA for existing server users. In fact MFA. And SSO.
  • Require them to use biometric and not set ‘lousy’, ‘weak’ passwords, coz frankly who are we kidding? Most admin users “retain” passwords & that too for long terms ! Why? So that passwords are “pre-shared” with other Admins, rather than regularly updated & complex passwords, that need to be “managed”, “re-shared” in a secure way ! Total disaster, if you ask us from our decades of experience with Developing Solutions & Managing dev, test, stage, production servers, between Developers, Testers, and Administrators during all stages of projects.
  • Add as many SSH-server users, easily, directly from SecureID admin web based panel or the mobile application. You WILL need administrator rights for this ?
  • Another almost “magical” feature (and so very needed) – Add a temporary user to SSH access, and  for only (say) 20 minutes? Think a support engineer on a ticket for a client controlled SSH? And the client can approve it, in real-time, with eSignature, so its perfectly legally-binding if you want). All within SecureID. Also, pls dont hesitate to reach out, in case you need a whole workflow, integrated just to scale your specific “technical support” operations with rules around – Who can access What or When or for how long ?
  • Of-course Full Audit Trail about access.
  • Additional rules for Fraud prevention, and monitoring with ‘watch’ & ‘alerting’ for potentially dangerous scenarios like ‘sudo’ , configuration changes et al.

Now if you are a PaaS / IaaS service provider – You can imagine the power this will bring, and Responsibility (& security) is taken care of already by SecureID. So yes you can smile and we promise you will be delighted.

Don’t worry – Fallback compatibility with RSA keys is still supported. But SecureID is Super-Secure and protected against phishing, MITM attacks.  All this is ultra-fast installation and minor configurations, takes a few minutes.

The SecureID SSH-2FA (built around SSHd & PAM) in real time  evaluates if authentication is valid. We can introduce a long range of virtually limitless factors or rules that can prevent fraud and even trigger interesting contextual “alarms”  & monitoring avenues, from live events analytics and ML.

 

 

Multi-factor authentication

MFA hardens security around sensitive data, thwarting illicit attempts at privileged-account access.

Proactive monitoring

Admins can proactively monitor and centrally control access to privileged credentials, on prem or in the cloud.

Secure access control

Secure access control via SSO reduces identity sprawl and password management risk and securely provide direct access to critical assets.

Flexibility for admins

Customizable user experience and access flexibility lets admins provide intelligent, contextual access.

 

Both mobile app + Unix/ Linux Installer

Secure SSH access with 2FA, MFA

 

 

 

 

How to Setup SSH-2FA ?

 

Step 2(a) - How to Install Secure ID SSH-2FA serVer-side plugin (Pam /SSHd)?

  • ssh into your server.
  • Download the Installation script from here or run the following ‘wget’ command
    wget https://secureidapp.com/assets/sid-sdks-plugins/sid-pam/sid-authenticator.sh
  • Give the executable permissions for the script using following command
    chmod 700 sid-authenticator.sh
  • Run the script.  The script will install all the required libraries and start the activation process.
    ./sid-authenticator.sh

Once you have downloaded and installed the plugin successfully you can just run sid-authenticator command directly from anywhere in the system to avoid coming to the same location to run the script.

Step 2(B) - Activate & Test Secure ID Pam Plugin ?

  • After the Installation script is executed, it will automatically show the activation options. Alternatively, you can manually execute the sid-activate command to trigger the activation process.
  • In the activation process you need to provide Email ID.

Activation through CSV file:

  • All users activation can be done through csv file.
  • Open/Create /tmp/secureid-users.csv file and enter the details as shown in the format :
Username Mobile Number Email ID
  • When you select All users activation - you will get a prompt asking Do you want to activate all users with csv file? (y/n): Y [Enter Y]
  • Then automatically all the users with given usernames will be activated.

Step 2(C) - Repeat Step 2b for more users on the vps server (optional).

  • After the Installation script is executed, it will automatically show the activation options. Alternatively, you can manually execute the sid-activate command to trigger the activation process.

Step 2(D) - Configure RSA SSH public key for the fallback user (recommended).

  • To configure your own SSH public key for an auto-created secureid fallback user (or say backup user) run the following command.
    sid-fallback-user
  • We strongly recommend this extra-fail-safe setup, as it helps you login in the rare case that SecureID login doesn’t work.
  • This will create a user named as “secureid” and will configure your public key in its authorized_keys folder.
  • Enter the RSA public key (Note: If you don’t know how to generate id_rsa public key check this).
  • So that you can SSH login without SecureID authentication into this user "secureid".
  • You will see the following screen after successful configuration -
    Successfully saved public key for "secureid" user

Step 3(A) - Lets enable Secure ID SSH (Pam) plugin for SSH login ?

  • Open the /etc/pam.d/common-auth file
  • Add the following line at the top of the file
    auth required pam_secureid_authenticator.so nullok
  • And mark as comments the remaining lines in the file. Thus enabling only SecureID authentication.
  • To enable SecureID SSH Login do the following steps
  • Open the /etc/ssh/sshd_config file
  • Locate the ChallengeResponseAuthentication,  and change it to ChallengeResponseAuthentication yes
  • If the ChallengeResponseAuthentication line doesn’t already exist, add the above line to the file.
  • Locate the UsePam,  and change it to UsePam yes
  • If the UsePam line doesn’t already exist, add the above line to the file (namely "UsePam yes")
  • Add the following lines at the bottom of the file
    • Match all
    • AuthenticationMethods keyboard-interactive publickey,keyboard-interactive
  • Finally, restart the SSH server so these changes will take effect:
    sudo service ssh restart

Step 3(B) - LETS Test Secure ID Pam plugin for SSH login ?

  • To test the Login process you can run this command sid-authenticator-test
  • Then you will get menu kind of the text in which all user names will be listed.
  • You have to select the username to test. [Then you will get SecureID mobile application push notification].
  • If the test was successful, you can see this message “Successfully tested Secure ID plugin login for "YOUR USERNAME" user”.
  • If login test fails the appropriate message will be shown.

Step 3(a) - How to enable Secure ID Pam plugin for SSH login ?

  • Open the /etc/ssh/sshd_config file
  • locate the ChallengeResponseAuthentication,  and change it to ChallengeResponseAuthentication yes
  • If the ChallengeResponseAuthentication line doesn’t already exist, add the above line to the file.
  • Finally, restart the SSH server so your changes will take effect:
    sudo service ssh restart

 

 

SecureID by Disruptive Applications AB  

We’ve been working with customers with Security needs for 2 decades. Plus we provide creative Consumer & Enterprise Products & Services for Digital transformation through Software and some hardware Innovation. This has given us a fortunate expertise & perspective  – “No user should accept a solution that makes them adjust their requirements & scenarios; Instead real needs & nuances must drive Innovation to match fine-grained scenarios”. We built SecureID first & foremost for our needs and our journey of securing access to every digital interaction in our business and personal life (Computers, devices, apps, networks, you name it). The DNA of SecureID is inherently Security & Privacy and employs Top-of-the-line, breeding edge security Encryption & all other privacy principles.