[Solved] Persistent Authentication for ssh with dual-factor

Support for security such as Firewalls and securing linux
Post Reply
jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

[Solved] Persistent Authentication for ssh with dual-factor

Post by jscarville » 2021/08/21 16:05:35

If there a way to get dual factor authentication for ssh in which the second factor only has to be entered once per day or other time period?

The idea is to set up jump hosts for ssh that require 2FA. A jump host can then be use to provide access to other servers that will, in turn, be restricted to only accepting connections from the jump hosts.

Ideally for my environment, the first login would require a public key, password, or Kerberos TGT plus the second factor. Subsequent logins on the same server would only require the first factor.

I've checked out Duo and Okta. Duo has not gotten back to me yet on the persistence. Okta can do it -- mostly -- but I discovered a way to hijack credentials from one user to another -- even across client machines -- so it is less attractive.
Last edited by jscarville on 2021/08/21 22:53:54, edited 1 time in total.

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: Persistent Authentication for ssh with dual-factor

Post by jscarville » 2021/08/21 22:53:06

Thanks to some help from a user on Stack Exchange, I was able to solve this one.

I added to the globals section of .ssh/config for one of my test users:[/list]

Code: Select all

Host *
  ControlMaster auto
  ControlPath ~/.ssh/master-%r@%h:%p
 
I logged onto a test server and got the expected authentication prompts

I can now use the multiplexed connection as a ProxyJump to connect to other machines "normally".

Post Reply