Securing SSH Keys with MFA

BSIDESRGV 2022

    ____ _____ ________  ___________ ____  _______    __   ___   ____ ___  ___
   / __ ) ___//  _/ __ \/ ____/ ___// __ \/ ____/ |  / /  |__ \ / __ \__ \|__ \
  / __  \__ \ / // / / / __/  \__ \/ /_/ / / __ | | / /   __/ // / / /_/ /__/ /
 / /_/ /__/ // // /_/ / /___ ___/ / _, _/ /_/ / | |/ /   / __// /_/ / __// __/
/_____/____/___/_____/_____//____/_/ |_|\____/  |___/   /____/\____/____/____/

SECURING SSH KEYS WITH MFA BY EDUARDO ROBLES

About speaker

  • Hi! I'm Eduardo Robles I work at the City of Pharr Innovation & Technology department as a Support Analyst.
  • Recent graduate in Cybersecurity.
  • I am the founder of the South Texas Linux Users Group.
  • You can check out my skills over on my blog or LinkedIn. Bonus, I give out a lot of free advice over there.

Securing SSH Keys with MFA

Main Topics:

  1. Learn the basics of SSH key authentication
  2. Demonstrate how to implement MFA on SSH keys
  3. Learn the benefits and downsides to MFA on SSH keys
  4. Some tips/tricks for SSH management

Before we begin…

  • This talk is for an intermediate users
  • OpenSSH version 8 or greater (both server and Client)
  • This presentation is Linux/Unix heavy
  • OpenSSH is available on latest Windows builds but your mileage may vary (try WSL?)

What inspired this talk?

  • A project, a raspberry pi, and ssh proxies.

How SSH Authentication Works

Keys, Keys, and more Keys!

SSH employs Public Key authentication, meaning all cryptography functions are done asymmetrically. DigitalOcean - Understanding the SSH Encryption and Connection Process

The more well-discussed use of asymmetrical encryption with SSH comes from SSH key-based authentication. SSH key pairs can be used to authenticate a client to a server. The client creates a key pair and then uploads the public key to any remote server it wishes to access. This is placed in a file called authorizedkeys within the ~/.ssh directory in the user account’s home directory on the remote server.

Public and Private Key Cryptography

SSH And Yubikey

  • Magic of FIDO/U2F

https://www.openssh.com/txt/release-8.2

U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types.

  • How FIDO Works

During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user.

Source: https://fidoalliance.org/how-fido-works/

SSH and TOTP

  • Once upon a time Time based One Time Passcode or TOTP for short is a method of securing authentication with short random codes. Codes are generated by an app or service like Google Authenticator or Microsoft Authenticator. You may be most familiar with using MFA app for your email or bank sign-on.

Create SSH Key

Create a "ed25519" key

ssh-keygen -t ed25519-sk -f ~/.ssh/id_testkey -N '' -C "comment goes here"

Explanation

  • -t option is for the type of keys to be created (ex. ed25519)
  • -f option is the file-name and location of the keys (ex. /path/to/file)
  • -N is the passphrase to be given, leave blank for no passphrase
  • -C enter a comment to best find keys later (ex. "github key")

Passwords, Passphrase, Passcode???

  • Password are usually for authenticating a user to a system
  • Passphrases are used for SSH keys to lock/unlock the actual keys
  • Passcode is usually a time based one time code used to secure an account with MFA

Create an SSH with TOTP

TOTP with Google Authenticator

sudo apt install libpam-google-authenticator -y

Configure TOTP Service

google-authenticator
  • You will need to answer the following questions to your needs.

Scan QR Code from Google Authenticator

Edit SSH Service

  • Edit /etc/pam.d/sshd add to end of file

    auth required pam_google_athenticator.so

  • Edit /etc/ssh/sshd_config change the following
    ChallengeResponseAuthentication yes
    UsePAM yes
    
  • Restart SSH Service

    sudo systemctl restart sshd

MFA is awesome!

Multifactor authentications is great and when implemented correctly can help secure your environments. It can help ensure that you trust who is logging into your services. And ultimately can help in preventing costly security breaches.

Watch out for these things…

  • Poorly setup MFA environments Adding to much complexity to MFA environments is not safer and does not increase security.
  • Confusing roll-out Think of your users and chose the best path with the least resistance.
  • Hostile users
  • ADA and Accessibility Issues Can users with disabilities uses your MFA?

Tips and Tricks

Adding SSH Key To Agent

Check if SSH Agent is running

This is to add the keys to the SSH Agent

eval "$(ssh-agent -s)"

Add the Keys to SSH Agent

ssh-add ~/.ssh/nameofkey

If you add your public key, OpenSSH will warn you to not use the public key.

Verify Keys Added to SSH Agent

ssh-add -l

Copy Key to Remote Server

ssh-copy-id -i ~/.ssh/testkey.pub user@remote.server.location

Remember that you want to share your public key. Never share your Private Key!

SSH Config File - Make SSH Easier

Let's look at a typical SSH command.

ssh erobles@10.0.3.11 -p 2300 -i ~/.ssh/mykeys

erobles@10.0.3.11 this states our username on the server and the IP/Hostname of the server

-p 2300 the port we are connecting to on the server

-i ~/.ssh/mykeys the Public/Private keys used in the SSH connection

SSH Config File cont.

While this is fine, it can be time consuming and easily forgotten. So let's see how this commands translates to an SSH Config file.

HOST myserver
HostName 10.0.3.11
User erobles
Port 2300
IdentityFile ~/.ssh/mykeys

Conclusion

  • I've shown how to add an extra layer of security to your SSH Keys with MFA
  • Find a good balance between ease of use and security
  • There is so much to OpenSSH, check out the documentation
  • If this doesn't work maybe give SSH Certificates a try?

Thanks!

  ________  _____    _   ____ _______    ____ _____ ________  ___________
 /_  __/ / / /   |  / | / / //_/ ___/   / __ ) ___//  _/ __ \/ ____/ ___/
  / / / /_/ / /| | /  |/ / ,<  \__ \   / __  \__ \ / // / / / __/  \__ \
 / / / __  / ___ |/ /|  / /| |___/ /  / /_/ /__/ // // /_/ / /___ ___/ /
/_/ /_/ /_/_/  |_/_/ |_/_/ |_/____/  /_____/____/___/_____/_____//____/

Date: 05-21-22

Created: 2022-05-21 Sat 08:40