13 May 2011

Two Factor SSH Authentication with Duo Security 

By - Linux, puppet, Security 1 Comment

As is probably obvious from our blog posts on Yubikey SSH/WordPress two factor authentication and Google Authenticator SSH two factor authentication, we at MNX Solutions are big proponents of multi-factor authentication schemes to add security to infrastructure. On the other side of things, though, we have to be agile system administrators in order to offer customers efficient and timely service when a problem occurs. While we still really enjoy our Yubikeys (especially for WordPress), we’ve found that the offering from Ann Arbor, MI based Duo Security is the one for us.

Numerous Points of Integration
Directly related to us, Duo easily integrates into SSH/PAM with an open-source project called duo_unix. For the enterprise, they provide support for Juniper, Cisco, Array, and SonicWall SSL VPN solutions. Lastly, they also have a web SDK and general API. Essentially, if you’re looking for a broad implementation of MFA, you’re covered.

With regard to the duo_unix project, we’ve created an RPM package hosted in our public yum repository. We’ve also integrated that RPM into a duo_unix Puppet module for quick deployments. Feel free to utilize either of these to help your own company or infrastructure to more quickly integrate Duo’s offering.

Ease of Administration
The thing we’ve noted about both Google Authenticator and Yubikey integrations are they feel very clunky to manage for an enterprise. The Duo web interface allows for simple, well organized administration. We are able to easily add multiple integrations, manage users & groups, and view an audit trail of authentication attempts. Each attempt to authenticate will provide administrators information on which user was authenticating, their IP address, their factor used (SMS, bypass code, phone call, app push, etc.), a timestamp, and whether or not the authentication succeeded. With this sort of history, it’s quick to identify attackers or just privilege misuse within a company.

Mixing Factors for Fun and Profit
Quite possibly my favorite aspect of Duo two factor versus say a Yubikey is that if I forget my Yubikey, I am essentially locked-out. However with Duo, I can add my cell phone (number or push application), office landline, home landline, or save codes that were SMS’ed to me. In a worst-case scenario, I could have another administrator provide me a bypass code or add a phone line temporarily to authenticate if I were out of town.

When I login to a server, I am prompted with available choices that are configured for my specific user and I get to decide how I will authenticate at that moment. This flexibility is what makes Duo the best multi-factor implementation I’ve ever used. For example, my iPhone’s application will send a push notification showing me that an authentication attempt is occurring and I can quickly touch whether or not to allow the authentication.

The Price is Right
For up to 10 users, Duo Security is completely free to implement. This makes it a steal and an easy decision for the SMB to deploy. Even after 10 users, it’s only $3/user/month and requires no additional hardware for your company to buy. Because you are paying for the users and not the integration points, a company like ours can easily deploy this solution across hundreds of servers for free. Admittedly, we almost feel bad for getting such an awesome service for free. Hopefully our contributions back to the community will relieve our guilt ;)

A Company with Talent
Lastly, any good security product still needs the follow-through of a solid team of experts. Dug Song and Jon Oberheide are staples in the information security community and lead a talented team over at Duo. With their respective years of broad experience in information security, Dug and Jon are able to implement, test, and secure code with much more assurance than a typical software house. If you wondered what would happen when a couple hackers and information security all-stars developed a product; Duo Security is what you get.

Running Linux Servers and want to implement two factor?

Give us a call at 888-877-7118 or click here for further detail.

One Response to “Two Factor SSH Authentication with Duo Security”

  1. dugsong says:

    Wow, thank you, Mark!

Leave a Reply