Use SSH certificate for authentication instead of passwords
Just using a username and a password for accessing the router makes me a little nervous. With only this peace of information anyone can log into the router at any time. This is why i have a private key in my Putty and propagate my public key to the boxes I want to reach.
First we need to get our public key ( from your Putty eg. ) to the Edgerouter.
cd ~ vi import_keys
I just paste it into VI, but it should be in the following format
ssh-rsa loooooooooooooooooooooooooooooooooooooooooongpublickey AGoodNameOfTheKey
Now the temporary keyfile needs to be imported into our configuration. After that it’s not needed anymore and is therefore deleted.
configure
loadkey mynewusername import_keys
exit
rm import_keys
Now we can test from putty if we can connect with the certificate. Note that password authentication is still allowed at this point!
An extra factor – adding Google authenticator for SSH
Using certificates for authentication is a good step up. But what if my machine with my certificate gets compromised? Then there is access to the Edgerouter 24/7. A countermeasure could be using Google Authenticator on my phone. Then the attacker needs both my certificate on my PC and my phone.
First we download and install the Google Authenticator debian package
sudo -i apt-get install libqrencode3 cd ~ && mkdir ./downloaded-packages && cd downloaded-packages curl -O http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20170702-1_mips.deb dpkg --force-all -i libpam-google-authenticator_20170702-1_mips.deb exit
Note: For small versions of the Edgerouter lite, use “libpam-google-authenticator_20160607-2_mips.deb” instead… They don’t have the 64 bit architecture.
Now we run the authenticator to give us a private key for our phone.
google-authenticator Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/home/mynewusername/.google_authenticator" file (y/n): y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n): y By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about + 4min (window size of 17 acceptable tokens). Do you want to do so? (y/n): y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n): y
Just answer yes to all questions. This would spit out a private key you can type into the authenticator app. If you have installed the “libqrencode3” apt package, you would get a huge QR code on the screen that you can just scan with the phone.
Now we need to setup PAM in Linux to use the Google Authenticator. We also disable password authentication.
sudo -i echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd sed -i -e 's/@include common-auth/#@include common-auth/g' /etc/pam.d/sshd sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /opt/vyatta/etc/ssh/sshd_config sed -i -e 's/PasswordAuthentication yes/PasswordAuthentication no/g' /opt/vyatta/etc/ssh/sshd_config echo "AuthenticationMethods publickey,keyboard-interactive" >> /opt/vyatta/etc/ssh/sshd_config
At this point it would be clever to test it. Save config with “save” command and then reboot the device with the “reboot” command.
What do we have?
Now our routers SSH management interface is secured with certificate and Google Authenticator. This means that my phone is needed in order to login to the Edgerouter and change the configuration or install software. In the next part we will have a look at some firewall setup.
When I connect using putty I get disconnected before I can enter the google auth code. I double checked the entries in sshd and sshd_config. Any suggestions? Thanks.
Hi modman,
In order to get sshd to reload it configuration you need to restart the service:
service ssh restart
Maybe thats what you are missing?
Best regards,
Alex
I hit the same issue. After reboot the sshd service would surely be restarted.
Installed the mipsel google authenticator on edgerouter X. And libqrencode3. Works fine.
However when connecting I get disconnected then console says:
Further authentication required
And a popup: Disconnected: No supported authentication methods available (server sent: keyboard-interactive)
Ok. Got it working. In sshd I put:
#@include common-auth
auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.s
o nullok
Hi Edwin,
I am glad you figured it out 🙂
Best regards,
Alex
How did you do this? I’m in the same boat and barely understand *nix
Took me a bit to find the one that worked.. but for EdgeRouter X w/ v1.9.7+hotfix.4 firmware, you need the below google-authenticator.
libpam-google-authenticator_20170702-1_mipsel.deb
Thank you Joel! You just saved me much work.
Hi Joel,
I’m trying to install Google Authenticator on my EdgeRouter X w/ v1.10.9 firmware.
libpam-google-authenticator_20170702-1_mipsel.deb package no longer exists.
I’m trying to install the newer version libpam-google-authenticator_20170702-2_mipsel.deb it fails with the following error message:
root@ERxRouter:~/downloaded-packages# dpkg -i libpam-google-authenticator_20170702-2_mipsel.deb
dpkg-deb: error: archive ‘libpam-google-authenticator_20170702-2_mipsel.deb’ contains not understood data member control.tar.xz, giving up
dpkg: error processing libpam-google-authenticator_20170702-2_mipsel.deb (–install):
subprocess dpkg-deb –control returned error exit status 2
Errors were encountered while processing:
libpam-google-authenticator_20170702-2_mipsel.deb
Hi,
libpam-google-authenticator_20170702-1_mipsel.deb is no longer available.
libpam-google-authenticator_20170702-2_mipsel.deb fails with the following message:
dpkg-deb: error: archive ‘libpam-google-authenticator_20170702-2_mipsel.deb’ contains not understood data member control.tar.xz, giving up
dpkg: error processing libpam-google-authenticator_20170702-2_mipsel.deb (–install):
subprocess dpkg-deb –control returned error exit status 2
Errors were encountered while processing:
libpam-google-authenticator_20170702-2_mipsel.deb
How can I fix this issue? Thanks!
After doing “dpkg –force-all -i *.deb”, i run “google-authenticator” but edgerouter pro gives me the following error: -vbash: /usr/bin/google-authenticator: cannot execute binary file. Any ideas?
I get an error message:
E: Unable to locate package libgrencode 3
I’m using an Edge Router X v1.10.7. No clue as to how to resolve. Any help appreciated.
got by the problem with libqrencode3
Now I get error message: dpkg;dpkg: error processing libpam-google-authenticator_20170702-1_mipsel.deb (–install):
subprocess dpkg-deb –control returned error exit status 2
Errors were encountered while processing:
libpam-google-authenticator_20170702-1_mipsel.deb
I have Edge Router X running v1.10.7
Joel indicated the mipsel.deb worked for him. can’t get it work for me. Also tired original script using “ibpam-google-authenticator_20170702-1_mipsel.deb” and have same problem.