A simple set of steps to configure 2-Factor authentication on SmartOS using Duo Push.
Sign up for a Duo Security account at https://www.duosecurity.com/partners/joyent
Go through the sign up process for Duo and sign in.
You will be prompted to create an Integration (essentially an authentication setup).
Select "UNIX Integration" from the Integration Type drop down.
Call the Integration "duo_smartmachine".
Click Create Integration .
You will be presented a page with the Integration Key , Secret Key , and API Hostname .
Log in to your SmartOS instance.
Install the Duo integration package from PKGSRC:
pkgin -y in duo-unix chmod go= /opt/local/etc/login_duo.conf
The chmod is a workaround for a defect in the package that makes /opt/local/etc/login_duo.conf world-readable which is clearly bad and which login_duo will reasonably refuse to use.
Edit /opt/local/etc/login_duo.conf and enter the Integration Key in after "ikey = ", Secret Key after "skey = ", API Hostname after "host = ", and remove the ";" before "pushinfo = yes" to enable Duo Push for non-interactive commands like SCP and SFTP.
Run login_duo and test that it works.
Add this to (or create) /root/.ssh/authorized_keys (the essential part of the integration is smartmachine_user which has to match the User you created in the Duo Admin Console):
command="/opt/local/sbin/login_duo -f smartmachine_user" ssh-rsa YOUR...SSH...RSA...PUBLIC...KEY... firstname.lastname@example.org
Attempt login to your SmartMachine as root via SSH. You should see the following:
$ ssh email@example.com
Please enroll at https://api-APIKEY.duosecurity.com/portal?ENROLLMENTCODE
Connection to example.com closed.
Visit https://api-APIKEY.duosecurity.com/portal?ENROLLMENTCODE and follow the instructions.
Attempt login to your SmartMachine via SSH again. You should now see the Duo MFA prompts:
Duo two-factor login for smartmachine_user Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-8380 2. Phone call to XXX-XXX-8380 3. SMS passcodes to XXX-XXX-8380 Passcode or option (1-3):
Type 1 and hit Enter. You should see the following:
Pushed a login request to your phone...
You should get the Push Request on your phone. The user interactions depends on your platform, but generally you are given a Login Request screen showing the user attempting to log in, the Integration they are logging in with, their IP Address, Location, Time, and the Server IP they are logging into.
You are also, most importantly, given the opportunity to Approve or Deny. Click Approve. You should see the following (different UUID, and possibly different SmartMachine version) in your SSH session:
Success. Logging you in... __ . . _| |_ | .-. . . .-. :--. |- |_ _| ;| || |(.-' | | | |__| `--' `-' `;-| `-' ' ' `-' / ; SmartMachine (base64 13.1.0) `-' http://wiki.joyent.com/jpc2/SmartMachine+Base [root@some-uuid ~]#
You are now done. Your root login to your SmartMachine is now protected with Duo Push Multi-factor Authentication.
You can make your Duo Push MFA completely stealth by adding "autopush = yes" to /opt/local/etc/login_duo.conf. When this is done Duo will silently send a push request to the phone if available and present no feedback to the SSH prompt. This may be useful in obscuring the existence of MFA and the specific solution an attacker may look to attack in a secondary manner.
The self-enrollment prompt won't be shown if SSH authentication succeeds but login_duo does not if "autopush = yes" is in the configuration. This is desirable for stealth, but may not be what you want in your use case.
If you can't log in you can do one of two things: