Use SSH certificate for authentication instead of passwords
Just using a username and a password for accessing the router makes me a little nervous. With only this peace of information anyone can log into the router at any time. This is why i have a private key in my Putty and propagate my public key to the boxes I want to reach.
First we need to get our public key ( from your Putty eg. ) to the Edgerouter.
cd ~ vi import_keys
I just paste it into VI, but it should be in the following format
ssh-rsa loooooooooooooooooooooooooooooooooooooooooongpublickey AGoodNameOfTheKey
Now the temporary keyfile needs to be imported into our configuration. After that it’s not needed anymore and is therefore deleted.
configure loadkey mynewusername import_keys exit rm import_keys
Now we can test from putty if we can connect with the certificate. Note that password authentication is still allowed at this point!
An extra factor – adding Google authenticator for SSH
Using certificates for authentication is a good step up. But what if my machine with my certificate gets compromised? Then there is access to the Edgerouter 24/7. A countermeasure could be using Google Authenticator on my phone. Then the attacker needs both my certificate on my PC and my phone.
First we download and install the Google Authenticator debian package
sudo -i cd ~ && mkdir ./downloaded-packages && cd downloaded-packages curl -O http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20160607-2%2Bb1_mips.deb dpkg --force-all -i libpam-google-authenticator_20160607-2%2Bb1_mips.deb exit
Note: For small versions of the Edgerouter lite, use “libpam-google-authenticator_20160607-2_mips.deb” instead… They don’t have the 64 bit architecture.
Now we run the authenticator to give us a private key for our phone.
google-authenticator Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/home/mynewusername/.google_authenticator" file (y/n): y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n): y By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about + 4min (window size of 17 acceptable tokens). Do you want to do so? (y/n): y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n): y
Just answer yes to all questions. This would spit out a private key you can type into the authenticator app. If you have installed the “libqrencode3” apt package, you would get a huge QR code on the screen that you can just scan with the phone.
Now we need to setup PAM in Linux to use the Google Authenticator. We also disable password authentication.
sudo -i echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd sed -i -e 's/@include common-auth/#@include common-auth/g' /etc/pam.d/sshd sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /opt/vyatta/etc/ssh/sshd_config sed -i -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /opt/vyatta/etc/ssh/sshd_config echo "AuthenticationMethods publickey,keyboard-interactive" >> /opt/vyatta/etc/ssh/sshd_config
At this point it would be clever to test it. Save config with “save” command and then reboot the device with the “reboot” command.
What do we have?
Now our routers SSH management interface is secured with certificate and Google Authenticator. This means that my phone is needed in order to login to the Edgerouter and change the configuration or install software. In the next part we will have a look at some firewall setup.