Add 2FA To Your SSH In 30 Seconds
We love SSH here at Authy. We use it for practically everything: git, remote shell’s access, deployment scripts and even pair programming.
$ curl 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh $ sudo bash authy-ssh install /usr/local/bin $ sudo /usr/local/bin/authy-ssh enable `whoami` <your-email> <your-country-code> <your-cellphone> $ authy-ssh test $ sudo service ssh restart
Keeping it secure yet accessible for everyone turned out to be quite a challenge. At first we used X.509 certificates on authorized_keys and we instructed everyone to protect their private certificates with a password. However using multiple certificates each with a different password quickly became unmanageable. Reluctantly we resorted to a single certificate per user with a password. However, this is far from ideal. If employee machine got hacked, the hacker could steal his certificate and easily use a keylogger to steal the password. And with the password and certificate in hand, he would have access to virtually everything (including our source code through git-ssh).
We looked for other possibilities, but they all looked like a lot of work.
Finally we decided to reuse our API to add two-factor authentication to all of the machines. We hacked a quick bash script to connect to our API and used the SSH ForceCommand directive to run this script before each login. The script verifies the user token and if correct initiates the session. This meant that we could use multiple certificates again, but without requiring everyone to protect them with passwords. Best of all, if anyone stole a certificate they still wouldn’t be able to access any of the machines, as they would still require the One-Time-Password generated by the Authy App.
We knew we couldn’t be the only one who wanted this, so we made a new version that everyone can install in less than 30 seconds. Let us know if you find it as useful as we do. The whole source code is on Github: https://github.com/authy/authy-ssh. Feel free to fork it and modify it as you wish. We wrote it in bash because we hate compiling things and this meant it would run everywhere without special voodoo.
Also in the next few weeks we’ll be releasing our chef recipes we use internally, as well as some tips on how to scale this, so you can add it to 1 or 1 million machines. If you can’t wait, it should be quite easy to quickly hack this version to fit your company needs. As always, simply e-mail us at [email protected].