Page MenuHomePhabricator

Support for Two Factor Authentication for CLI access via Google Authenticator
Open, NormalPublicFEATURE REQUEST

Description

Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226, respectively.

On Linux-based systems Google Authenticator can be used to provide 2FA support via PAM and on Debian-based systems using the libpam-google-authenticator package.

2FA support would help VyOS meet security requirements for the use as critical infrastructure under emerging standards including NIST 800-171.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects

Event Timeline

rps created this task.Oct 5 2018, 4:23 AM
rps added a comment.Oct 5 2018, 4:29 AM

May be duplicate of T483

syncer triaged this task as Low priority.Oct 7 2018, 2:21 AM

Having lifted the hood and bent a few rules....

Added:

deb http://archive.debian.org/debian squeeze main
deb http://archive.debian.org/debian squeeze-lts main

to /etc/apt/sources.list

apt-get install libqrencode3

Then runs without issue.

I then have to wget a package as google-authenticator doesnt exist in squeeze

wget http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_amd64.deb

and dpkg -i the libpam.... package

This installed on 1.1.8 without issue or warning.

I then added "auth required pam_google_authenticator.so" to the end of /etc/pam,d/sshd

i then modified /etc/ssh/sshd_config to have "ChallengeResponseAuthentication No " --> Yes

su'ing to the user created by vyos "set system login user XXXX etc.."
and running the google-authenticator cli script, creates the appropriate .google-authenticator in the /home/USER directory and SSH MFA login then proceeds.

So how do i do this officially? Or get the work done for this to be official?

c-po added a subscriber: c-po.Nov 28 2018, 7:17 AM

What do you propose as CLI syntax?

So exploring some wider thoughts.

My current configuration is for 2FA for all users, and if they haven't configured the google-authenticator they fail.

So we would need a "Apply 2FA to THESE specific users" feature as well.

pam_listfile can do this, by being a filter to what users a pam configuration apply to.

So you "enable" a system login user for MFA, which should add their username to the textfile pam_listfile listens to.
You then "enable a MFA provider" (in our case on google authenticator as a first option)

This would add the pam configuration lines for sshd

so /etc/pam.d/sshd would look like:

auth requisite pam_listfile.so item=user sense=allow file=/etc/mfausers
auth sufficient pam_google_authenticator.so
auth required pam_deny.so

may also just need to append 'nullok' to pam gauth line config which allows unset up users to login still. May need a config option of 'enforcing' & 'allowing' to control this.

ideas for cli:

'set system login user USERNAME authentication mfa enable'

For google-authenticator you could have admin's pre generate the keys and supply them ssh rsa key style:

'set system login user USERNAME authentication mfa gauth key ksj3hdd3fksjdhf8'
This by default needs to be in ~/.google-authenticator

But you can use a secret=/path/to/user/gauth-key-file in the pam module, and put these key files anywhere. e.g "auth required pam_google_authenticator.so secret=/config/auth/ovpn/gauth/${USER}"

then to make a service MFA enabled:
SSH:
set service ssh mfa enable
set service ssh mfa provider 'google-authenticator'

For OpenVPN it would hide out in the interfaces branch:
set openvpn vtun# mfa enable
set openvpn vtun# mfa provider 'google-authenticator'

pasik added a subscriber: pasik.Mar 12 2019, 6:09 PM
syncer assigned this task to hagbard.Apr 18 2019, 12:20 AM
syncer raised the priority of this task from Low to Normal.