Title: Enable multi-factor authentication on OpenBSD | |
Author: Solène | |
Date: 06 February 2021 | |
Tags: openbsd security | |
Description: | |
# Introduction | |
In this article I will explain how to add a bit more security to your | |
OpenBSD system by adding a requirement for user logging into the | |
system, locally or by ssh. I will explain how to setup 2 factor | |
authentication (2FA) using TOTP on OpenBSD | |
What is TOTP (Time-based One time Password) | |
When do you want or need this? It adds a burden in term of usability, | |
in addition to your password you will require a device that will be | |
pre-configured to generate the one time passwords, if you don't have it | |
you won't be able to login (that's the whole point). Let's say you | |
activated 2FA for ssh connection on an important server, if you get | |
your private ssh key stolen (and without password, bouh!), the hacker | |
will not be able to connect to the SSH server without having access to | |
your TOTP generator. | |
# TOTP software | |
Here is a quick list of TOTP software | |
- command line: oathtool from package oath-toolkit | |
- GUI and multiplatform: KeepassXC | |
- Android: FreeOTP+, andOTP, OneTimePass etc.. (watched on F-droid) | |
# Setup | |
A package is required in order to provide the various programs | |
required. The package comes with a README file available at | |
/usr/local/share/doc/pkg-readmes/login_oath with many explanations | |
about how to use it. I will take lot of information from there for the | |
local login setup. | |
```shell command with a # sign indicating it should be run as root | |
# pkg_add login_oath | |
``` | |
You will have to add a new login class, depending on what of the kind | |
of authentication you want. You can either provide password OR TOTP, | |
or set password AND TOTP (in the form of TOTP_CODE/password as the | |
password to type). From the README file, add what you want to use: | |
```file /etc/login.conf sample including comments starting with # | |
# totp OR password | |
totp:\ | |
:auth=-totp,passwd:\ | |
:tc=default: | |
# totp AND password | |
totppw:\ | |
:auth=-totp-and-pwd:\ | |
:tc=default: | |
``` | |
If you have a /etc/login.conf.db file, you have to run cap_mkdb on | |
/etc/login.conf to update the file, most people don't need this, it | |
only helps a bit in regards to performance when you have many many | |
rules in /etc/login.conf. | |
# Local login | |
Local login means logging on a TTY or in your X session or anything | |
requiring your system password. You can then modify the users you want | |
to use TOTP by adding them to the according login class with this | |
command. | |
```shell command with a # sign indicating it should be run as root | |
# usermod -L totp some_user | |
``` | |
In the user directory, you have to generate a key and give it the | |
correct permissions. | |
```shell command with a $ sign indicating it should be run as a regular user | |
$ openssl rand -hex 20 > ~/.totp-key | |
$ chmod 400 .totp-key | |
``` | |
The .totp-key contains the secret that will be used by the TOTP | |
generator, but most generator will only accept it in encoded as base32. | |
You can use the following python3 command to convert the secret into | |
base32. | |
```shell command | |
python3 -c "import base64; print(base64.b32encode(bytes.fromhex('YOUR SECRET HE… | |
``` | |
# SSH login | |
It is possible to require your users to use TOTP or a public key + | |
TOTP. When your refer to "password" in ssh, this will be the same | |
password as for login, so it can be the plain password for regular | |
user, the TOTP code for users in totp class, and TOTP/password for | |
users in totppw. | |
This allow fine grained tuning for login options. The password | |
requirement in SSH can be enabled per user or globally by modifying the | |
file /etc/ssh/sshd_config. | |
sshd_config man page about AuthenticationMethods | |
```Sample configuration including comments for /etc/ssh/sshd_config | |
# enable for everyone | |
AuthenticationMethods publickey,password | |
# for one user | |
Match User solene | |
AuthenticationMethods publickey,password | |
``` | |
Let's say you enabled totppw class for your user and you use | |
"publickey,password" in the AuthenticationMethods in ssh. You will | |
require your ssh private key AND your password AND your TOTP generator. | |
Without doing any TOTP, by using this setting in SSH, you can require | |
users to use their key and their system password in order to login, | |
TOTP will only add more strength to the requirements to connect, but | |
also more complexity for people who may not be comfortable with such | |
security levels. | |
# Conclusion | |
In this text we have seen how to enable 2FA for your local login and | |
for login over ssh. Be careful to not lock you out of your system by | |
losing the 2FA generator. |