If you have any questions, you can always get a free consultation:

+1-800-994-9492 info@devopsprodigy.com

DevOpsProdigy Isolate

Send request # #

AUTHENTICATION SERVER

The idea behind Isolate is that we should somehow manage how do people get access to our servers. How can we make this process more secure? How could we prevent a system from being compromised when someone lost the laptop with ssh key. What would we do in case someone quits the company - is there an alternative to just changing all passwords, keys, etc?

# # #
  1. Isolate adds OTP 2FA to SSH login. It could be hardware YubiKey or Google Authenticator app. If someone lost the password - OTP key is here and the intruder can't get access to the bastion host.
  2. Users don't get direct access to endpoint servers - they go there through Isolate server, the system tracks their actions.
  3. You can easily manage access to the bastion server - add/remove users, etc.

Technically you should generate and place the bastion host key on endpoint servers, and users will get regular access to Isolate server with the sudoer access to ssh command.

Once they want to connect to the endpoint server, the system executes ssh command and ssh client running with privileged user permissions gets server key and using it the system gets access to the server we need to get access to.

#

Supports

  • OTP (counter and time based) 2FA algorithms
  • SSH sessions logging
#

Requirements

  • CentOS 7 / Ubuntu 16.04 / Debian 9 setup
  • Ansible 2.3+ for install or update
Follow # Join us in # Join to Slack #

INSTALL

for ubuntu only:

# apt update; apt install python python-pip python-dev -y

edit

ansible/hosts.ini

and run:

cd ansible

ansible-playbook main.yml

and restart server

# reboot

append to

/etc/bashrc (/etc/bash.bashrcon debian/ubuntu):

if [ -f /opt/auth/shared/bash.sh ]; then

source /opt/auth/shared/bash.sh;

fi

append to

/etc/sudoers (or usevisudo )

%auth ALL=(auth) NOPASSWD: /opt/auth/wrappers/ssh.py

SSH

/etc/ssh/sshd_config:

# AuthorizedKeysFile /etc/keys/%u_authorized_keys

PermitRootLogin without-password

PasswordAuthentication yes

GSSAPIAuthentication no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

UseDNS no

MaxStartups 48:20:300

TCPKeepAlive yes

ClientAliveInterval 36

ClientAliveCountMax 2400

systemctl restart sshd

systemctl status sshd

OTP

add to

/etc/pam.d/sshd (/etc/pam.d/common-auth on debian/ubuntu):

auth required pam_oath.so usersfile=/etc/oath/users.oath window=20 digits=6

#%PAM-1.0

auth required pam_sepermit.so

auth substack password-auth

auth required pam_oath.so usersfile=/etc/oath/users.oath window=20 digits=6

auth include postlogin

...>

sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config

add to

/etc/ssh/sshd_config

Match Group auth

AuthenticationMethods keyboard-interactive

systemctl restart sshd

systemctl status sshd

Tell us about your setup and we'll tell you how we can help

Make a request for support

Free consultation:
1-800-994-9492 or info@DevOpsProdigy.com

#

Our sales representative will contact you in less than 24 hours.