MFA (Multi Factor Authentication) Lab Overview In this lab activity you will implement multi factor authentication for the SSH service on an Ubuntu server This will work in conjunction with the Google Authenticator app Remember that multi factor authentication requires two or more means of authentication In this activity the two factors will be something you know (a password) and something you have (the Google Authenticator token) If you have a mobile device you can install the GoogleAuthenticator app for free Just search the appstore or Google play for Google Authenticator Alternatively, if you dont have a mobile device, you can use the Chrome browser plugin for Google Authenticator Google Authenticator provides a OneTime Password that is Time Synchronized and must be entered at login A random string of 6 digits will display for about 30 seconds before changing to the next sequence of 6 digits During login, and after the users password has been entered, a prompt for the code will appear The user will need to enter the correct 6 digit code from Google Authenticator to complete the login process Getting Started There are two pieces to this labs infrastructure First is an Ubuntu Linux server that will be configured to require MFA for ssh logins (Not all login accounts will be configured to requires MFA) Second is the GoogleAuthenticator code generating tool This is an application that runs on a mobile device or within a web browser add in, displaying a unique code to be entered during login The code updates automatically every 30 seconds The server can be provisioned multiple ways (choose only 1) A standalone virtual machine on your laptop desktop A docker based Ubuntu container accessed via testout dtcc edu A codeanywhere container A virtual machine template file is available from link to ova This machine is configured with an account named student with password student To use the docker Ubuntu container Login to and follow the instructions below for starting up a containe r Docker Container on Create an ubuntu container to use for this experiment Initiate with the following command $docker run h mfalab it ubuntu frankbuntu Install the pam module that will support MFA with the following command $sudo apt get install libpam google authenticator Because were going to enable MFA on an account other than root, well need to first create that account Add an account to be used ( useradd m franko) and set the password for that account The ubuntu container doesnt have the ssh service installed Install it with the following command $apt get update apt get install ssh (this ubuntu container requires an update first) When this completes, start the ssh service with the command $service ssh start Test your ability to login via ssh with the command below $ssh localhost l franko Notice you were only prompted for a single factor (password) Now configure your mobile device by installing the google authenticator app Configure a profile in the app by running google authenticator and following the instructions to configure your account for MFA Login to your container as that new account ($login franko) To begin the setup of MFA for the franko account, run the command ($google authenticator) You should be prompted with the question Do you want authentication tokens to be time based answer y to this (provide guidance for the other questions) Next we need to configure the ssh daemon to require MFA for accounts that are setup to use it This is accomplished via both the sshd config and a pam configuration file for google authenticator Edit the file etc sshd config changing the setting of ChallengeResponseAuthentication to yes Because you have changed the sshd config, youll need to restart the service with the following command $service ssh restart You will also need to modify the PAM settings to enable ssh to use the google authenticator library In the file etc pam d ssh add the following line to the end of the file auth required pam google authenticator so nullok Try to login again via ssh, you should see a prompt for a verification code after you enter the password Its working If you have trouble, make sure the clock on your server is set to the correct time The token is based on the current time and if the clocks between your server and the google authenticator app are not in sync, the codes will be forever incompatible If you are already using google authenticator and have profiles in your app, make sure you are using the correct profile when you enter the code Standalone Server Instructions Create an instance of an Ubuntu server virtual machine Make sure the VM has internet access and test login to the machine via ssh (this will confirm single factor access to the machine

The Answer is in the image, click to view ...

Question: MFA (Multi-Factor Authentication) Lab Overview : In this lab activity you will implement multi-factor authentication for the SSH service on an Ubuntu server. This will

MFA (Multi-Factor Authentication) Lab

Overview:

In this lab activity you will implement multi-factor authentication for the SSH service on an Ubuntu server. This will work in conjunction with the Google Authenticator app.

Remember that multi-factor authentication requires two or more means of authentication. In this activity the two factors will be something you know (a password) and something you have (the Google Authenticator token)

If you have a mobile device you can install the GoogleAuthenticator app for free. Just search the appstore or Google play for Google Authenticator.

Alternatively, if you dont have a mobile device, you can use the Chrome browser plugin for Google Authenticator.

Google Authenticator provides a OneTime Password that is Time Synchronized and must be entered at login. A random string of 6 digits will display for about 30 seconds before changing to the next sequence of 6 digits. During login, and after the users password has been entered, a prompt for the code will appear. The user will need to enter the correct 6 digit code from Google Authenticator to complete the login process.

Getting Started:

There are two pieces to this labs infrastructure.

First is an Ubuntu Linux server that will be configured to require MFA for ssh logins. (Not all login accounts will be configured to requires MFA)

Second is the GoogleAuthenticator code generating tool. This is an application that runs on a mobile device or within a web browser add-in, displaying a unique code to be entered during login. The code updates automatically every 30 seconds.

The server can be provisioned multiple ways: (choose only 1)

A standalone virtual machine on your laptop/desktop
A docker based Ubuntu container accessed via testout.dtcc.edu
A codeanywhere container

A virtual machine template file is available from link to ova This machine is configured with an account named student with password student

To use the docker Ubuntu container. Login to and follow the instructions below for starting up a container.

Docker Container on

Create an ubuntu container to use for this experiment. Initiate with the following command:
$docker run -h mfalab -it ubuntu:frankbuntu
Install the pam module that will support MFA with the following command:
$sudo apt-get install libpam-google-authenticator
Because were going to enable MFA on an account other than root, well need to first create that account
Add an account to be used ( useradd -m franko) and set the password for that account
The ubuntu container doesnt have the ssh service installed. Install it with the following command:
$apt-get update; apt-get install ssh (this ubuntu container requires an update first)
When this completes, start the ssh service with the command:
$service ssh start
Test your ability to login via ssh with the command below:
$ssh localhost -l franko
Notice you were only prompted for a single factor (password)
Now configure your mobile device by installing the google authenticator app
Configure a profile in the app by running google-authenticator and following the instructions to configure your account for MFA
Login to your container as that new account ($login franko)
To begin the setup of MFA for the franko account, run the command ($google-authenticator)
You should be prompted with the question Do you want authentication tokens to be time-based answer y to this. (provide guidance for the other questions)
Next we need to configure the ssh daemon to require MFA for accounts that are setup to use it. This is accomplished via both the sshd_config and a pam configuration file for google_authenticator.
Edit the file /etc/sshd_config changing the setting of ChallengeResponseAuthentication to yes
Because you have changed the sshd_config, youll need to restart the service with the following command:
$service ssh restart
You will also need to modify the PAM settings to enable ssh to use the google-authenticator library. In the file /etc/pam.d/ssh add the following line to the end of the file auth required pam_google_authenticator.so nullok
Try to login again via ssh, you should see a prompt for a verification code after you enter the password. Its working!
If you have trouble, make sure the clock on your server is set to the correct time. The token is based on the current time and if the clocks between your server and the google-authenticator app are not in sync, the codes will be forever incompatible.
If you are already using google-authenticator and have profiles in your app, make sure you are using the correct profile when you enter the code.

Standalone Server Instructions

Create an instance of an Ubuntu server virtual machine

Make sure the VM has internet access and test login to the machine via ssh (this will confirm single factor access to the machine.

Step by Step Solution

There are 3 Steps involved in it

1 Expert Approved Answer

Step: 1 Unlock blur-text-image

Question Has Been Solved by an Expert!

Get step-by-step solutions from verified subject matter experts

Step: 2 Unlock

Step: 3 Unlock

Students Have Also Explored These Related Databases Questions!

MFA (Multi-Factor Authentication) Lab Overview : In this lab activity you will implement multi-factor authentication for the SSH service on an Ubuntu server. This will work in conjunction with the...

Overview: Now that you re super knowledgeable about security, let's put your newfound know - how to the test. You may find yourself in a tech role someday, where you need to design and influence a...

An attacker has gained access to the passwords of several employees of a company through a brute force attack. Which authentication method would keep the attacker from accessing the employees...

QUESTION 1 8 What is the purpose of the " - - dry - run" option in the AWS CLI? To simulate the execution of a command without actually performing any actions. To enable verbose output for debugging...

a . What is Cyber Resilience? Compare and contrast Cyber Resilience with Cybersecurity. b . Cyber Resilience is primarily associated with which EBK area? Explain. c . Cyber Resilience is primarily...

An employee suspects his password has been compromised. He changed his password two days ago. What might be going on with his account? How can MFA ( multifactor authentication ) help prevent future...

QUESTION 2 4 What is the purpose of the " - - profile" option in the AWS CLI? To enable verbose output for debugging purposes. To authenticate with AWS using MFA ( Multi - Factor Authentication ) ....

1.Steps to complete the assignment - There are 10 lab activities in this document, follow the steps to answer the question. - Make sure to add a screenshot of the results. 2.Evaluation criteria -...

As you may have noticed, phishing emails and cyber-attacks are becoming more prevalent in today's society. To increase the safety of our accounts, CBU is moving to a Multi-Factor Authentication (MFA)...

Design Overall Architecture of the Application The RNG Password Manager application is designed using a modular architecture to ensure scalability, maintainability, and security. It consists of the...

The goodwill of a firm is valued at Rs.1, 35,000 at 3 years purchase of super profit. Determine the missing values: Average Profit = 3,60,000 3 Normal Profit = Rs..... X = = 15 100 Rs.1,20,000 =...

What is unique about computers as far as ethical issues?

Problem 1 3 - 1 1 Colculating Portfolio Betss [ LO 4 ] Kou dwh a stock portfolo inveited 2 5 peroent in Sock Q 2 0 percent in Srock R , 3 5 peicest in Sock 5 , and 2 0 percere in 5 sock I. The becas...

The rate of effusion of CH4 at a given temperature is twice that of gas Y. the molecular mass of Y is : 4.0g/mol 8.0g/mol 64.0g/mol 32.0g/mol Which of the following matched pairs of name and formula...

Why is the System Build Process an iterative process?

What phase normally comes directly after the System Build process in a Project?

Name two other algorithms available in SSAS Data Mining other than Decision Trees.