August 28, 2012
Add two-factor authentication to your ssh in 30 seconds.
TL:DR: Jump to the bottom to see the video and install it using:
Installation. $ curl 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh $ sudo bash authy-ssh install /usr/local/bin $ sudo /usr/local/bin/authy-ssh enable `whoami` <your-email> <your-country-code> <your-cellphone> $ authy-ssh test $ sudo service ssh restart
We love SSH here at Authy. We use it for practically everything: git, remote shell’s access, deployment scripts and even pair programming.
However keeping it secure yet accessible for everyone turned out to be quite a challenge. At first we used X.509 certificates on authorized_keys and we instructed everyone to protect their private certificates with a password. However using multiple certificates each with a different password quickly became unmanageable. Reluctantly we resorted to a single certificate per user with a password. However this is far from ideal. If employee machine got hacked, the hacker could steal his certificate and easily use a keylogger to steal the password. And with the password and certificate in hand, he would have access to virtually everything (including our source code through git-ssh).
We looked for other possibilities, but they all looked like a lot of work. Finally we decided to reuse our API to add two-factor authentication to all of the machines. We hacked a quick bash script to connect to our API and used the SSH ForceCommand directive to run this script before each login. The script verifies the user token and if correct initiates the session. This meant that we could use multiple certificates again, but without requiring everyone to protect them with password’s. Best of all, if anyone stole a certificate they still wouldn’t be able to access any of the machines, as they would still require the One-Time-Password generated by the Authy App.
We knew we couldn’t be the only one who wanted this, so we made a new version that everyone can install in less than 30 seconds. Let us know if you find it as useful as we do. The whole source code is on Github: https://github.com/authy/authy-ssh. Feel free to fork it and modify it as you wish. We wrote it in bash because we hate compiling things and this meant it would run everywhere without special voodoo.
Also in the next few weeks we’ll be releasing our chef recipes we use internally, as well as some tips on how to scale this, so you can add it to 1 or 1 million machines. However if you can’t wait, it should be quite easy to quickly hack this version to fit your company needs. As always simply e-mail us to [email protected] or join our campfire chat if you need help: https://authy.campfirenow.com/1c6c4
By the way, we made a small video you can see it in action, you can watch it below in full screen.