Setting up 2-Factor Authentication on a SmartMachine (Duo Push)

A simple set of steps to configure 2-Factor authentication on SmartOS using Duo Push.

Pre-Requisites

  1. A smartphone running iOS, Android, BlackBerry, Windows Phone (required for Duo Push, there are a broad variety of other two-factor options from Duo that don't require a smartphone though)
  2. A SmartMachine version 13.1.0 or later (possible in earlier versions, but more complicated)

Procedure

  1. Sign up for Duo Security
  2. Create a Duo UNIX Integration
  3. Create a Duo User 
  4. Activate your phone with Duo Mobile
  5. Configure SmartMachine for Duo Push
  6. Test Duo Push

Sign Up for Duo Security

Sign up for a Duo Security account at  https://www.duosecurity.com/partners/joyent

Go through the sign up process for Duo and sign in.

Create Duo UNIX Integration

You will be prompted to create an Integration (essentially an authentication setup).

Select "UNIX Integration" from the Integration Type drop down.

Call the Integration "duo_smartmachine".

Click Create Integration .

You will be presented a page with the Integration Key , Secret Key , and API Hostname .

Configure SmartMachine for Duo Push

Log in to your SmartOS instance.

Install the Duo integration package from PKGSRC:

pkgin -y in duo-unix
chmod go= /opt/local/etc/login_duo.conf

The chmod is a workaround for a defect in the package that makes /opt/local/etc/login_duo.conf world-readable which is clearly bad and which login_duo will reasonably refuse to use.

Edit /opt/local/etc/login_duo.conf and enter the Integration Key in after "ikey = ", Secret Key after "skey = ", API Hostname after "host = ", and remove the ";" before "pushinfo = yes" to enable Duo Push for non-interactive commands like SCP and SFTP.

Run login_duo and test that it works.

Add this to (or create) /root/.ssh/authorized_keys (the essential part of the integration is smartmachine_user which has to match the User you created in the Duo Admin Console):

command="/opt/local/sbin/login_duo -f smartmachine_user" ssh-rsa YOUR...SSH...RSA...PUBLIC...KEY... your.name@example.com

Test Duo Push

Attempt login to your SmartMachine as root via SSH.  You should see the following:

$ ssh root@example.com
Please enroll at https://api-APIKEY.duosecurity.com/portal?ENROLLMENTCODE
Connection to example.com closed.

Visit https://api-APIKEY.duosecurity.com/portal?ENROLLMENTCODE and follow the instructions.

Attempt login to your SmartMachine via SSH again.  You should now see the Duo MFA prompts:

Duo two-factor login for smartmachine_user

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-8380
 2. Phone call to XXX-XXX-8380
 3. SMS passcodes to XXX-XXX-8380

Passcode or option (1-3): 

Type 1 and hit Enter.  You should see the following:

Pushed a login request to your phone...

You should get the Push Request on your phone.  The user interactions depends on your platform, but generally you are given a Login Request screen showing the user attempting to log in, the Integration they are logging in with, their IP Address, Location, Time, and the Server IP they are logging into.

You are also, most importantly, given the opportunity to Approve or Deny. Click Approve.  You should see the following (different UUID, and possibly different SmartMachine version) in your SSH session:

Success. Logging you in...
   __        .                   .
 _|  |_      | .-. .  . .-. :--. |-
|_    _|     ;|   ||  |(.-' |  | |
  |__|   `--'  `-' `;-| `-' '  ' `-'
                   /  ; SmartMachine (base64 13.1.0)
                   `-'  http://wiki.joyent.com/jpc2/SmartMachine+Base

[root@some-uuid ~]#

You are now done.  Your root login to your SmartMachine is now protected with Duo Push Multi-factor Authentication.

Further Enhancement

You can make your Duo Push MFA completely stealth by adding "autopush = yes" to /opt/local/etc/login_duo.conf.  When this is done Duo will silently send a push request to the phone if available and present no feedback to the SSH prompt.  This may be useful in obscuring the existence of MFA and the specific solution an attacker may look to attack in a secondary manner.

The self-enrollment prompt won't be shown if SSH authentication succeeds but login_duo does not if "autopush = yes" is in the configuration.  This is desirable for stealth, but may not be what you want in your use case.

Troubleshooting

If you can't log in you can do one of two things:

  1. Log in as admin and use sudo vim /root/.ssh/authorized_keys to remove the command entry
  2. Log into Duo Admin Console , go to the User and set Status to Bypass