A blog about cloud computing and development
About me

Multi-factor SSH authentication with Ansible and Duo Security

Introduction

You are about to run out of excuses for not having multi-factor authentication enabled for your servers.While it's not a security silver bullet, it is a great way to make it more difficult for an attacker to gain access to your system. Other people can more eloquently make the case for multi-factor authentication. I am going to show you how to get it working using Ansible.

Don't worry, you don't have to implement your own. Duo Security offers multi-factor authentication as a service, using either text messages, phonecalls, or push notifications (supporting both Android and iOS devices). The best part is that for small organizations it's free! Provided here is everything you need to get Duo Security SSH integration working on Ubuntu 12.04.

The entire playbook is on GitHub: https://github.com/jlafon/ansible-duo-security.

Sign up for a Duo Security account

  • Go here and sign up.
  • Set up a Unix Integration by following the instructions in the 'First Steps' section.
  • You will need the integration key, secret key, and API hostname later.
  • Add your smart phone to your Duo account and associate it with your user.

Install Ansible

apt-get install python-pip python-paramiko python-yaml python-jinja2 python-simplejson git-core
git clone git://github.com/ansible/ansible.git
source ./ansible/hacking/env-setup

Download the playbook

git clone git://github.com/jlafon/ansible-duo-security.git

Set the playbook variables

Open roles/duo_security/vars/main.yml and set the values appropriately.

duo_integration_key: your-key-here
duo_secret_key: your-secret-key # Don't actually put this value in source control
duo_api_hostname: your-api-endpoint

Run the playbook

Running the playbook will add Duo Security's repository and authentication key, install the Duo Security login client, andconfigure the SSH server to use the Duo Security login client for all logins.

ansible-playbook -c local site.yml

Login via multi-factor authenication

ssh your-user@your-server
Duo two-factor login for ubuntu

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-1234
 2. Phone call to XXX-XXX-1234
 3. SMS passcodes to XXX-XXX-1234

Passcode or option (1-3): 1

Pushed a login request to your phone...
Success. Logging you in...

Now, when I log in and choose option 1, I get a push notification on my iPhone that looks like this:

Push notification screen shot