Activate MFA (Multi-Factor-Authentication) for SSH and OpenVPN

Owned by Steffen Drya
Last updated: Sept 07, 2022
2 min read

What is Multi-Factor-Authentication

MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. See https://root360.atlassian.net/wiki/spaces/KB/pages/2014353011

With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as well as for an authentication response from their MFA device (the second factor - what they have). Taken together, these multiple factors provide increased security for your environment.

Preconditions

General process

Currently MFA is disabled by default.

When MFA is enabled by root360, MFA is enforced for all users incl. root360 customer service staff and project users. Exceptions are not supported. You need to cross-check with your CI/CD integration to ensure your processes are not disrupted.

Following steps are required to enable full MFA support environment access:

  1. check and accept preconditions

  2. request activation of MFA

  3. activate MFA

Preconditions for MFA

  • BatchMode must be disabled in your SSH client (see https://linux.die.net/man/1/ssh)

  • MFA token has to be (re-)generate on each provisioning of bastion host instance (e.g. rebuilt of the host)

Request activation of MFA

Request activation of MFA for a dedicated environment via change request at https://support.root360.cloud.

Activate MFA (only required for SSH)

As soon as MFA is enforced, SSH login will not work anymore. You may see following message

MFA required, please check our documentation https://faq.root360.cloud/564625495/How+to+activate+MFA+Multi-Factor-Authentication+for+SSH   [projectuser]@[bastionhostIP]: Permission denied (keyboard-interactive).

To activate MFA you have to login to the bastion-host of your environment to port 222 and follow the instructions:

$ ssh -p 222 [projectuser]@[bastionhostIP]

You may scan QR code or use verification secret and add it to you virtual device MFA.

Supported Methods

For SSH access we support virtual device MFA with TOTP. You may use compatible apps like "Google Authenticator" or "Authy" to manage your virtual MFA.

For OpenVPN we support authentication with your https://root360.atlassian.net/wiki/spaces/KB/pages/2014350431 password.

Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user's virtual MFA device to authenticate.

Related tutorials

Related Components

 

 

root360 Knowledge Base - This portal is hosted by Atlassian (atlassian.com | Privacy Policy)