Edgerouter Security, Part3

Use SSH certificate for authentication instead of passwords

Just using a username and a password for accessing the router makes me a little nervous. With only this peace of information anyone can log into the router at any time. This is why i have a private key in my Putty and propagate my public key to the boxes I want to reach.

First we need to get our public key ( from your Putty eg. ) to the Edgerouter.

cd ~
vi import_keys

I just paste it into VI, but it should be in the following format

ssh-rsa loooooooooooooooooooooooooooooooooooooooooongpublickey AGoodNameOfTheKey

Now the temporary keyfile needs to be imported into our configuration. After that it’s not needed anymore and is therefore deleted.

configure
loadkey mynewusername import_keys
exit
rm import_keys

Now we can test from putty if we can connect with the certificate. Note that password authentication is still allowed at this point!

An extra factor – adding Google authenticator for SSH

Using certificates for authentication is a good step up. But what if my machine with my certificate gets compromised? Then there is access to the Edgerouter 24/7. A countermeasure could be using Google Authenticator on my phone. Then the attacker needs both my certificate on my PC and my phone.

First we download and install the Google Authenticator debian package

sudo -i
cd ~ && mkdir ./downloaded-packages && cd downloaded-packages
curl -O http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20160607-2%2Bb1_mips.deb
dpkg --force-all -i libpam-google-authenticator_20160607-2%2Bb1_mips.deb
exit

Note: For small versions of the Edgerouter lite, use “libpam-google-authenticator_20160607-2_mips.deb” instead… They don’t have the 64 bit architecture.

Now we run the authenticator to give us a private key for our phone.

google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/mynewusername/.google_authenticator" file (y/n): y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n): y
By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about + 4min (window size of 17 acceptable tokens). Do you want to do so? (y/n): y
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n): y

Just answer yes to all questions. This would spit out a private key you can type into the authenticator app. If you have installed the “libqrencode3” apt package, you would get a huge QR code on the screen that you can just scan with the phone.

Now we need to setup PAM in Linux to use the Google Authenticator. We also disable password authentication.

sudo -i
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
sed -i -e 's/@include common-auth/#@include common-auth/g' /etc/pam.d/sshd
sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /opt/vyatta/etc/ssh/sshd_config
sed -i -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /opt/vyatta/etc/ssh/sshd_config
echo "AuthenticationMethods publickey,keyboard-interactive" >> /opt/vyatta/etc/ssh/sshd_config

At this point it would be clever to test it. Save config with “save” command and then reboot the device with the “reboot” command.

What do we have?

Now our routers SSH management interface is secured with certificate and Google Authenticator. This means that my phone is needed in order to login to the Edgerouter and change the configuration or install software. In the next part we will have a look at some firewall setup.

6 thoughts to “Edgerouter Security, Part3”

  1. When I connect using putty I get disconnected before I can enter the google auth code. I double checked the entries in sshd and sshd_config. Any suggestions? Thanks.

    1. Hi modman,

      In order to get sshd to reload it configuration you need to restart the service:
      service ssh restart

      Maybe thats what you are missing?

      Best regards,
      Alex

      1. I hit the same issue. After reboot the sshd service would surely be restarted.
        Installed the mipsel google authenticator on edgerouter X. And libqrencode3. Works fine.
        However when connecting I get disconnected then console says:
        Further authentication required
        And a popup: Disconnected: No supported authentication methods available (server sent: keyboard-interactive)

        1. Ok. Got it working. In sshd I put:
          #@include common-auth
          auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.s
          o nullok

Leave a Reply

Your email address will not be published. Required fields are marked *