You are about to run out of excuses for not having multi-factor authentication enabled for your servers.While it's not a security silver bullet, it is a great way to make it more difficult for an attacker to gain access to your system. Other people can more eloquently make the case for multi-factor authentication. I am going to show you how to get it working using Ansible.
Don't worry, you don't have to implement your own. Duo Security offers multi-factor authentication as a service, using either text messages, phonecalls, or push notifications (supporting both Android and iOS devices). The best part is that for small organizations it's free! Provided here is everything you need to get Duo Security SSH integration working on Ubuntu 12.04.
The entire playbook is on GitHub: https://github.com/jlafon/ansible-duo-security.
Sign up for a Duo Security account
- Go here and sign up.
- Set up a Unix Integration by following the instructions in the 'First Steps' section.
- You will need the integration key, secret key, and API hostname later.
- Add your smart phone to your Duo account and associate it with your user.
apt-get install python-pip python-paramiko python-yaml python-jinja2 python-simplejson git-core git clone git://github.com/ansible/ansible.git source ./ansible/hacking/env-setup
Download the playbook
git clone git://github.com/jlafon/ansible-duo-security.git
Set the playbook variables
roles/duo_security/vars/main.yml and set the values appropriately.
duo_integration_key: your-key-here duo_secret_key: your-secret-key # Don't actually put this value in source control duo_api_hostname: your-api-endpoint
Run the playbook
Running the playbook will add Duo Security's repository and authentication key, install the Duo Security login client, andconfigure the SSH server to use the Duo Security login client for all logins.
ansible-playbook -c local site.yml
Login via multi-factor authenication
ssh your-user@your-server Duo two-factor login for ubuntu Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-1234 2. Phone call to XXX-XXX-1234 3. SMS passcodes to XXX-XXX-1234 Passcode or option (1-3): 1 Pushed a login request to your phone... Success. Logging you in...
Now, when I log in and choose option 1, I get a push notification on my iPhone that looks like this: