...
...
...
...
...
| Warning |
|---|
You have tried to access an archived page. Please go to the new https://root360.atlassian.net/wiki/spaces/KB to find more documents. |
| HTML Comment | ||
|---|---|---|
| ||
How to activate MFA for SSH? |
| Excerpt | ||
|---|---|---|
| ||
This article describes the steps required by the customer to activate multi-factor authentication using OTP for logins via SSH. |
...
| Table of Contents |
|---|
What is Multi-Factor-Authentication
MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. See (Archived) How to access an environment via OpenSSH
With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as as well as for an authentication response from their MFA device (the second factor - what they have). Taken together, these multiple factors provide increased security for your environment.
General process
Currently MFA is disabled by default.
...
Following steps are required to enable full MFA support environment access:
check and accept preconditions
request activation of MFA
activate MFA
1. Preconditions
BatchMode must be disabled in your SSH client (see https://linux.die.net/man/1/ssh)
MFA token has to be (re-)generate on each provisioning of bastion host instance (e.g. rebuilt of the host)
2. Request activation of MFA
...
As soon as MFA is enforced, SSH login will not work anymore. You may see following message
| Code Block | ||||
|---|---|---|---|---|
| ||||
MFA required, please check our documentation https://faq.root360.cloud/564625495/How+to+activate+MFA+Multi-Factor-Authentication+for+SSH [projectuser]@[bastionhostIP]: Permission denied (keyboard-interactive). |
To activate MFA you have to login to the bastion-host of your environment to port 222 and follow the instructions:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ ssh -p 222 [projectuser]@[bastionhostIP] |
...