Score:0

How can I setup 2FA on non-interactive SSH connections?

my flag

I would like to add a level of security for logins to an SSH server (Ubuntu), using two factor authentication. One particularity on how the users connect to the SSH server is that sometimes they do it in a non-interactive way: the SSH server is configured in the users' MySQL client to be used as a bastion/proxy to reach a database. As a consequence I'm looking for 2FA setups that don't require the user to type anything in a terminal.

One existing solution that sounds promising in theory is Google's phone prompt allowing the user to validate the connection. Every SSH user would be associated with a phone number and this phone number would receive a prompt to validate on each connection. enter image description here

An obvious downside to this idea is that it sounds like it would require the development of a phone app, which would make it way too complicated and expensive. Are there other techniques that I could use to allow users to validate non-interactive SSH logins?

gxx avatar
gb flag
gxx
Did you found a solution?
my flag
@gxx I did not :-(
Score:0
cn flag

You could use an SSH-CA to issue temporary short-term OpenSSH user certificates only valid for a couple of hours. The user has to request the cert by authenticating with any MFA solution you prefer. The SSH cert and private key will be loaded into the SSH key agent and can be used until the user cert expires.

There are various SSH-CA implementations out there with my EKCA being one of them. YMMV.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.