Page MenuHomeVyOS Platform

Support for Two Factor Authentication for CLI access via Google Authenticator
Open, NormalPublicFEATURE REQUEST

Description

Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226, respectively.

On Linux-based systems Google Authenticator can be used to provide 2FA support via PAM and on Debian-based systems using the libpam-google-authenticator package.

2FA support would help VyOS meet security requirements for the use as critical infrastructure under emerging standards including NIST 800-171.

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

syncer triaged this task as Low priority.Oct 7 2018, 2:21 AM

Having lifted the hood and bent a few rules....

Added:

deb http://archive.debian.org/debian squeeze main
deb http://archive.debian.org/debian squeeze-lts main

to /etc/apt/sources.list

apt-get install libqrencode3

Then runs without issue.

I then have to wget a package as google-authenticator doesnt exist in squeeze

wget http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_amd64.deb

and dpkg -i the libpam.... package

This installed on 1.1.8 without issue or warning.

I then added "auth required pam_google_authenticator.so" to the end of /etc/pam,d/sshd

i then modified /etc/ssh/sshd_config to have "ChallengeResponseAuthentication No " --> Yes

su'ing to the user created by vyos "set system login user XXXX etc.."
and running the google-authenticator cli script, creates the appropriate .google-authenticator in the /home/USER directory and SSH MFA login then proceeds.

MFA ssh login.PNG (272×704 px, 15 KB)

So how do i do this officially? Or get the work done for this to be official?

What do you propose as CLI syntax?

So exploring some wider thoughts.

My current configuration is for 2FA for all users, and if they haven't configured the google-authenticator they fail.

So we would need a "Apply 2FA to THESE specific users" feature as well.

pam_listfile can do this, by being a filter to what users a pam configuration apply to.

So you "enable" a system login user for MFA, which should add their username to the textfile pam_listfile listens to.
You then "enable a MFA provider" (in our case on google authenticator as a first option)

This would add the pam configuration lines for sshd

so /etc/pam.d/sshd would look like:

auth requisite pam_listfile.so item=user sense=allow file=/etc/mfausers
auth sufficient pam_google_authenticator.so
auth required pam_deny.so

may also just need to append 'nullok' to pam gauth line config which allows unset up users to login still. May need a config option of 'enforcing' & 'allowing' to control this.

ideas for cli:

'set system login user USERNAME authentication mfa enable'

For google-authenticator you could have admin's pre generate the keys and supply them ssh rsa key style:

'set system login user USERNAME authentication mfa gauth key ksj3hdd3fksjdhf8'
This by default needs to be in ~/.google-authenticator

But you can use a secret=/path/to/user/gauth-key-file in the pam module, and put these key files anywhere. e.g "auth required pam_google_authenticator.so secret=/config/auth/ovpn/gauth/${USER}"

then to make a service MFA enabled:
SSH:
set service ssh mfa enable
set service ssh mfa provider 'google-authenticator'

For OpenVPN it would hide out in the interfaces branch:
set openvpn vtun# mfa enable
set openvpn vtun# mfa provider 'google-authenticator'

syncer raised the priority of this task from Low to Normal.
hagbard added a subscriber: hagbard.
dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.
dmbaturin changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
dmbaturin set Is it a breaking change? to Perfectly compatible.
dmbaturin added a subscriber: carl.byington.
Unknown Object (User) claimed this task.Sep 10 2022, 1:54 AM
Unknown Object (User) added a comment.Sep 10 2022, 1:57 AM

First we need to include the "google-authenticator" in our build

Unknown Object (User) added a comment.EditedSep 15 2022, 5:57 AM

PR adding libpam-google-authenticator package to VyOS:
https://github.com/vyos/vyos-1x/pull/1541

CLI commands are being worked on now to support 2FA system login