SSH Hardening with Google Authenticator and OpenPAM

freebsd ssh google openpam

What is Google Authenticator?

The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM).
Google Authenticator uses the Time-based One-time Password Algorithm (TOTP) which means taking advantage of a key and time to make a secret six-digit code. In addition to your password, you’ll also need this code to the login. the point is you don’t need the internet and all you need is synchronized time. this technique called 2-Step Verification.

Two-Factor Authentication Varieties

Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication. There are two types of 2FA:

  1. Time-based One-time Password (TOTP)
    this verification code generated by your phone app, a dedicated hardware device, or sent to you via SMS. In this article, we talk about google authenticator(phone app)
    In TOTP you are not the only one that accesses to private key and client and server both have access to it.both know how to create verification code from it.all we have is a compare and this process causes security issues.
  2. Universal Second Factor (U2F)
    U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed.U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. U2F uses public key cryptography to verify your identity. In contrast with TOTP, you are the only one to know the private key. Basically, there are two active companies that utilized U2P, SatoshiLabs, and Yubico.
    SatoshiLabs is a security hardware and software company. All of its projects are related to Bitcoin. It was founded in 2013 and it is headquartered in Prague, Czech Republic. Trezor is U2F bitcoin wallet made by SatoshiLabs. Yubico is a private company that founded in 2007 with offices in Palo Alto, Seattle, and StockholmYubikey is USB U2F Token that made by Yubico.
    You can easily compare these two, but the comparison is not a good idea.because it depends on the situation.
    Sometimes you can’t just add a device to your pc google authenticator is your choice.
    U2F is not this article subject and we can cover it later.

What Is Pluggable Authentication Modules(PAM)?

The Pluggable Authentication Modules (PAM) library is a generalized API for authentication-related services which allows a system administrator to add new authentication methods simply by installing new PAM modules and to modify authentication policies by editing configuration files. PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun Microsystems and has not changed much since. In 1997, the Open Group published the X/Open Single Sign-on (XSSO) preliminary specification, which standardized the PAM API and added extensions for single (or rather integrated) sign-on. At the time of this writing, this specification has not yet been adopted as a standard. In PAM parlance, the application that uses PAM to authenticate a user is the server and is identified for configuration purposes by a service name, which is often (but not necessarily) the program name.
The user requesting authentication is called the applicant, while the user (usually, root) charged with verifying his identity and granting him the requested credentials is called the arbitrator. The sequence of operations the server goes through to authenticate a user and perform whatever task he requested is a PAM transaction; the context within which the server performs the requested task is called a session. The functionality embodied by PAM is divided into six primitives grouped into four facilities: authentication, account management, session management, and password management.

PAM Varieties

There are foure common types of PAM:

  1. Linux-PAM: Linux-PAM used by almost every Linux distributions but Linux-PAM is BSD License!!!
  2. OpenPAM: OpenPAM is a BSD-licensed implementation of PAM used by FreeBSD, NetBSD, DragonFly BSD and OS X (starting with Snow Leopard), and offered as an alternative to Linux PAM in certain Linux distributions. OpenPAM was developed for the FreeBSD Project by Dag-Erling Smørgrav and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.
  3. Java™ PAM or JPam: PAM is basically a standard authentication module supporting Linux and UNIX. JPam acts as a bridge between the Java part and the usual PAM. JPam enables the use of PAM modules or facilities (like auth, account, passwd, session, etc.)
  4. SolarisPAM: SolarisPAM used by the Solaris operating system.

How To Add An Extra Layer Of Authentication To FreeBSD With OpenPAM?

OpenPAM was developed for the FreeBSD. “/etc/pam.d/” contains configuration files for the Pluggable Authentication Modules(PAM)library. Each file details the module chain for a single service and must be named after that service. If no configuration file is found for a particular service, the /etc/pam.d/other is used instead. If that file does not exist, /etc/pam.conf is searched for entries matching the specified service or, failing that, the “other” service.

How To Add 2FA On SSH?

  1. First of all, you have to install a google-authenticator.
    # pkg install pam_google_authenticator
  2. Install QR encoder for ease of use.
    # pkg install libqrencode
    QR code (Quick Response Code) is a type of matrix barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A barcode is a machine-readable optical label that contains information about the item to which it is attached. With QR codes you can easily transfer your authentication key to your smartphone.
  3. Then you have to edit /etc/pam.d/sshd and add the following line to auth section:
    auth required /usr/local/lib/pam_google_authenticator.so
  4. Create a new user called “Sara” to test google-authenticator:
    Interactively:
    # adduser Sara
    Manual:
    # pw useradd -n Sara -s /bin/sh -m
    # passwd
  5. Now you can easily run google authenticator and simulate a full login to “Sara” username.
    # su – Sara -c google-authenticator
    You can now see your QR code on the screen. with the “Authenticator” android app scan this code and get your verification code on your smartphone.
    google authenticator will ask you a couple of questions:
    Do you want authentication tokens to be time-based (y/n)
    Do you want me to update your “/root/.google_authenticator” file (y/n)
    your chances to notice or even prevent man-in-the-middle attacks (y/n)
    size of 1:30min to about 4min. Do you want to do so (y/n)
    Do you want to enable rate-limiting (y/n)
    you can answer all those questions with “y”.
    By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, it has been allowed an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
  6. You must to edit SSH Service configuration file (/etc/ssh/sshd_config)and add these lines for specific user 2fa authentication:
    Match User Sara
    AuthenticationMethods keyboard-interactive
  7. restart SSH Service:
    # service sshd restart
    if the user we named it “Sara” create an ssh connection, she will be asked for 2 factors:
  8. Password
  9. Verification code
    There are also other varieties but it’s not recommended to use:
  10. public key + password + verification code
  11. public key + verification code, without password

You can get full edition at:
https://bsdmag.org/download/ssh-hardening-google-authenticator-openpam-zfs-feature-flags-devops/
Or:
https://contents.meetbsd.ir/ebook/openPAM_bsdmag.pdf


enter image description here