Two-factor authentication setup in OS ROSA Desktop Fresh R9

From Rosalab Wiki
Revision as of 16:15, 27 December 2017 by Juliette (Talk | contribs) (Creating the QR code for everyday user on the computer and entering it into the phone)

This is a page snapshot, showing old (but not deleted) versions of images and templates.
Jump to: navigation, search

Every security administrator is very well aware of the fact that a lengthy passwords are not more secure than a shorty ones, not at all. Better security requires two-factor authentication. Many people are already familiar with it (2FA) since the online shopping process with a credit card requires not only a simple Cv2 code but often a single use text message from the bank security system or some other additional authentication factor (howdy, fingerprint authentication?).

Of course, the data on the hard disk of stolen from you laptop cannot be protected that way, we need a cryptography here, but, if somebody is trying to spot your password from behind your shoulder in order to use it later — the two-factor authentication is a right choice.

So, what do you need to set up the two-factor authentication in ROSA?

Up to a challenge? Follow the instruction below!

Why do you need the two-factor authentication and what is its purpose?

Two-factor authentication (multi-factor authentication) its a tool to make the login process (and many other use cases which require the verification of certain identity) more secure. Every time you use the two-factor authentication, this makes your password security much more higher compared to simply entering the password.

User passwords are needed for:

  • Everyday login into OS GUI mode
  • Unlocking the screen after the screensaver has blocked it
  • Parallel login (i.e. into the virtual console)
  • Remote login into the system (i.e. using the SSH)
  • Login into the virtual console getty (ALT+F2...F6)
  • Switch the user context, i.e. use su and sudo commands to perform some actions using the credentials of some other user

Now imagine some situations: Suppose you suspect your password was stolen but by some reason you are unable to change it right now

Somebody is watching you from behind your shoulder or with the mirror while you are entering your actual password

Suppose your password was stolen while you were entering the keyboard symbols trying to connect to your home machine over SSH from an Internet café or from some friend's computer, and the stolen password can now be used by an intruder.

The Internet is full of easy to use free software for password interception, which grabs the entered symbols from your keyboard and write them into the file, and the file can be copied or transferred somewhere else afterwards.

The attacker can easily buy a keyboard specially designed to intercept the entered symbols and write them down to embedded USB stick. In the Internet are also available the USB switchers which do the same (or the attacker can solder it by itself using some spare parts etc)

You think your password is too simple or too obvious and can be mentally brute forced by some metallic bad guys from the Megatron series.

In all the cases above the two-factor authentication can really help. And to know how to implement it you just have to read thorough out howto. By the end of it you'll become a wise security expert who just laughs in the face of a Chinese bot trying to break into your system.

The multi-factor authentication (and the two-factor authentication thereof) is based on the principle that states that for an user to establish their identity there must be present a combination of a few correctly supplied factors:

  • some secret known to the user, such as a password
  • some physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc.
  • some physical characteristic of the user, such as a fingerprint, eye iris, voice, typing, etc. In this case we are talking about biometrical authentication or the biometrics.


In ROSA Desktop Fresh R9 we recommend a two-factor authentication with the one-time TOTP passwords valid for only 30 seconds. We consider this implementation to be the most acceptable and comfortable for the users.

This implementation of the two-factor authentication on ROSA does not require some complex configuration processes or using some rare software or hardware. Worth noting that two-factor authentication will not require the Internet connection to function.

List of supported ROSA versions:

At the moment the following versions are supported (earlier versions are not supported):

  • ROSA Desktop Fresh R9 GNOME;
  • ROSA Desktop Fresh R9 KDE (switch from KDM graphical login manager to LightDM is required);
  • ROSA Desktop Fresh R9 PLASMA (switch from SDDM graphical login manager to LightDM is required)
  • Any ROSA versions (Fresh/RED) based on 2014.1 or 2016.1 packages base with GDM or LightDM graphical login manager.


Installation prerequisites and requirements

In order to set up the two-factor authentication on ROSA Desktop Fresh R9 you will need:

  • The package google-authenticator from the ROSA repositories.
  • Mobile phone (a smartphone) or a tablet (Windows Phone©, Android© or Apple© iOS© device) which we will turn into a token with the key and will generate the one-time passwords.
  • The clocks on both devices must be synchronized, that's a very critical factor, only very subtle shift in time is allowed between the two devices.
  • For the clock syncing you should use the NTP Internet time servers, for example ntp.rosalinux.ru and ntp2.rosalinux.ru or any other NTP server of your choice.
  • Tin foil cap (a joke)



Restrictions and limitations you should be aware of

Please keep in mind the following:

  • If your token (aka your phone or tablet) will be lost or battery low, you would not be able to login into your system the normal way
  • If the time difference between the two devices will become too big, you would not be able to login into your system the normal way
  • Remember that while the security of your system will rise, the user-friendliness will decline. For login process you will need two devices instead of one (your computer) and every time you'll have to enter two passwords instead of only one.
  • The user context switching tasks may become a pain, since you'll need the one-time password of the other user, too.


Benefits you should be aware of

  • The level of security of your system will rise significantly. From now on you may not worry that your root or user password may be exposed or compromised.
  • There is no need to buy some costly hardware or software, you'll do it yourself and for free (your neighbor may want it, too, for a beer or 10 buck ;) )
  • Your security is provided to you by you only, it's 100% yours, no third party cloud or another kind of service involved!
  • You will be using high technology and security solutions in your everyday life and be proud of it
  • You may motivate your friends and family to use the two-factor authentication, too.
  • Share your experience with your friends, neighbors and cousins and receive free live exp and respect points!


The setup and operation principles of the two-factor authentication in OS ROSA Desktop Fresh R9

The general principles of two-factor authentication in ROSA are the following:

  • The package google-authenticator needs to be installed
  • The authentication algorithm is Time-based One Time Password Algorithm (TOTP), RFC 6238
  • during installation and setup process the 80-bit key is generated per user, this key is displayed using the QR code (default option) or as a Base32 code of 16 (default value), 26 or 32 characters.
  • The QR code is then displayed on the computer screen and is scanned with the phone (or the user enters the 16 characters code manually in the installed phone or tablet application)
  • The software on the phone then calculates the HMAC-SHA1 based on the QR code (or 16 characters code)
  • After that a part of HMAC is extracted and converted into one-time password of 6 (default value) symbols length, this password is then shown on the phone display
  • This one-time 6 symbols password will be valid for 30 seconds (default value)


Mobile phone or tablet software required for the two-factor authentication

Below is a list of free (at the moment when this article was written) most popular programs for one-time passwords generation on mobile devices. We tried to list the software that scopes in almost full range of most popular models of phones. There are some non-free utilities, also, but we are not including it in our howto.


For the Android smartphones and tablets:


For Apple© iOS© smartphones and tablets:

For Microsoft© Windows Phone© or Microsoft© Surface© tablets:

Setting the two-factor authentication on the ROSA Desktop Fresh R9 Gnome

Installing the software and clock synchronization

Before you begin: make sure the time between your computer and phone is synchronized, otherwise your setup will fail.

For this purpose you can use drakclock utility. To start drakclock, press ALT+F2 and enter 'drakclock'. Check if date/time and time zone settings are correct.

drakclock provides a list of a network time servers, chose one or two from that list or find another servers in the Internet and perform the clock synchronization. You can user ROSA time servers: ntp.rosalinux.ru and ntp2.rosalinux.ru.


Time synchronization using drakclock


Install google-authenticator:

urpmi google-authenticator

Installing programs on the phone or tablet

Before you begin: make sure the time between your computer and phone is synchronized, otherwise your setup will fail. 

Consult your phone/tablet manual to learn how the clock synchronization works on your device. Perform the clock synchronization between your computer and phone/tablet.

Recommended phone/tablet software

For the Android smartphones and tablets:


For Apple© iOS© smartphones and tablets:

For Microsoft© Windows Phone© or Microsoft© Surface© tablets:

Generating the QR code (key) for computer administrator account (root)

Switch to the administrator (root) account:

su - 

or

sudo -i

During the first step you should always setup the one-time password for the root, because if anything goes wrong later you may always fix it using the root privileges. Create the key for the root using the following command (in the xterm terminal):

google-authenticator


Picture 2. Acquiring the QR code or the digital key.

Entering the QR code (digital key) into the your phone

Run the recently installed application on your mobile device or the tablet, and follow the steps. Perform the scanning of the acquired QR code. In case your application does not support QR code scanning, enter the 6 digits key manually. This key is right below the QR code, here's the example of what the key string may look like:

Your new secret key is: ABCDEFGH12345678


See the example of the scanned QR code on the picture below:

Example of the code scanning

Creating the QR code for everyday user on the computer and entering it into the phone

The process of code creation for the normal user is no different from the same process for the root. Run the xterm and switch the user context as follows:

 su - <username>

Then with the acquired privileges of the other user, run:

 google-authenticator

Another QR code will be generated for the user. The example of the code see on the picture above.

Then repeat the step of scanning the QR code or entering the 6-digits key into your phone or tablet.

Repeat the step as many times as many users you have in your system. After the setup will be finished, you won't be able to login into your system without the one-time password.

Do not forget to switch the user context every time you generate the code for an user.

Setting up the GDM display manager to work with two-factor authentication

If you use ROSA Fresh R9 and GNOME desktop environment, see the instructions below.

The configuration process requires the root privileges.

Edit the first 4 strings of the /etc/pam.d/gdm-password file as follows:

 #%PAM-1.0
 auth       required    pam_env.so
 auth       required    pam_unix.so
 auth       sufficient  pam_google_authenticator.so
 auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin


Remember, the PAM module settings no not require reboot in order to apply, all changes are applied immediately. You now have two-factor authentication for graphical login all set up.

Enter the first password as usual.

Entering user password in GDM


Start the application on your phone, select the user account you would like to login into and be ready to enter the one-time password. Remember, the password is valid only for 30 seconds. The mobile phone applications usually provides a time progress bar.

Generating the one-time password on the phone

When the request for the TOTP password will pop up, enter the digits shown on the phone screen into the GDM textbox. The two-factor authentication for graphical system login is now set up for your system.


Entering the one-time password in GDM


The basics are done, but if you want to configure the two-factor authentication for:

  • The text console login and the switching the user context from the command line
  • The sudo mechanism
  • Remote login using SSH

...then please read below.

Setting up the two-factor authentication and switching the user context in a text console

This process requires the root privileges. Edit the first 4 strings of the /etc/pam.d/system-auth file as follows:

 auth        required      pam_env.so
 auth        required      pam_unix.so try_first_pass nullok
 auth        sufficient    pam_google_authenticator.so
 auth        required      pam_deny.so

The changes are applied immediately, so immediately after file saving is made, the text console login will be set up for a one-time password using.

Setting up the two-factor authentication in a getty text console

The same configuration works for the switching context also, for the su command, for example.

The two-factor authentication for user context switching

Setting up the two-factor authentication for sudo

You will need the root privileges

visudo

Edit the string

Defaults    env_reset

as follows:

Defaults    env_reset, timestamp_timeout=0

The two-factor authentication for sudo was configured already when you applied the changes in the 'system-auth' file, but the change above forces the system to prompt for the password every time the sudo is used, which raises the overall system security level.


Setting up the two-factor authentication for remote SSH login

First switch into the root context.

Find the following string in the /etc/ssh/sshd_config file:

 UsePAM no

and edit it as follows:

 UsePAM yes

Restart the sshd service:

 systemctl restart sshd

After the sshd has been restarted the two-factor authentication will begin working for the remote ssh connections to your computer.

Setting up the two-factor authentication in ROSA Fresh with KDE or PLASMA desktop environment

The configuration process for two-factor authentication in KDE or PLASMA environments is no different from the configuration process for GNOME, described above.

The difference is minimal. As usual, do not forget to synchronize the time between the two devices. You will need the root privileges for the setup process.

First install the LightDM graphical login manager:

 urpmi lightdm

Then disable your current login manager and activate the lightdm: In case of PLASMA:

 systemctl disable sddm 
systemctl enable lightdm

In case of KDE:

 systemctl disable kdm 
systemctl enable lightdm

Edit the /etc/pam.d/lightdm file so the first 3 strings would look as follows:

 auth       required    pam_env.so
 auth       required    pam_unix.so
 auth       sufficient  pam_google_authenticator.so

After that you'll be able to reboot and get your two-factor authentication working for the graphical console.

The configuration process for text only console, context switching and for working with sudo and ssh are identical to those of the GNOME version.