Overview

Secure Shell(SSH) is a vital protocol used for securely accessing and managing Linux servers remotely by authenticating using a user name and password

CyLock MFA for Secure Shell (SSH) is a crucial component of modern cybersecurity strategies, offering enhanced security, resilience, and compliance adherence. By implementing MFA for SSH, organizations can effectively mitigate the risks associated with unauthorized access while maintaining operational efficiency and user experience.

Supported Devices:

Firewall Devices: Sophos XG-series, SG-series, UTM-series, Cyberoam series support RADIUS authentication.

Architecture Overview

CyLock MFA steps up as a vital solution, demanding users to confirm their identity through multiple distinct methods. This fortifies the login access to Linux Servers, marking an indispensable measure essential for combating the dangers of password compromise, ensuring adherence to industry regulations, and, above all, safeguarding sensitive data.

CyLock PAM module can be installed on an RHEL Server to quickly enable two factor authentications during SSH login. A typical deployment architecture and process is shown below.

Figure 1: Deployment Architecture and process flow of SSH Login

Prerequisites

1. Securing an application requires an active CyLock MFA account. (Refer “Getting Started: Guide to CyLock MFA”to start using CyLock MFA to protect your applications).
2. Login to “CyLock MFA Portal”
3. Navigate to Application menu in the left menu panel
4. Click “Add Application” button to secure an application. Locate and select “SSL VPN” from the list of application names. Click “+Secure” button to configure CyLock MFA for SSL VPN. Enter the details as requested and click “Save” button. Before leaving the page copy Application Key and Application ID, which are required during CyLock MFA RADIUS Proxy component installation. See “Securing an Application” for more information about protecting applications in CyLock MFA.
5. RHEL OS patches must be up to date.
6. Download the CyLock MFA PAM module for RHEL distribution from below link https://downloads.cybernexa.com/downloads/CyLock_PAM_RHEL_9_4.zip .
7. Follow the instructions in “CyLock MFA PAM Module Installation” section to enable Multi-Factor Authentication (MFA) for SSH login.
8. Download CyLock MFA Mobile App from Android or iOS store.
9. Register SSH user using CyLock MFA Mobile app.

CyLock MFA PAM Module Installation

The CyLock MFA PAM Module can be installed on a Linux Server. We recommend a Server with at least 4 vCPU, 200 MB disk space, and 8 GB RAM.

Supported Linux Distributions:

This document pertains to RHEL Linux distribution. Download the CyLock MFA PAM module for RHEL and move the same in the respective Server.

Configuring CyLock MFA PAM Module

1. Login to your Red Hat Enterprise Linux Server, here Red Hat 9.4 Version is taken for example. You can verify the Linux server OS version using below command.

    cat /etc/os-release

   

   Figure 2: Verifying the Red Hat Enterprise Linux Server OS version

2. Update the Package using below command.

    sudo dnf update

   

   Figure 3: Updating the Package

3. Move the CyLock MFA PAM module into RHEL server as shown in the Figure 4.

   Here Mobaxterm is used for hosting SSH sessions, In Mobaxterm click on the ‘up arrow’ symbol at left hand side.

   Then select the CyLock MFA PAM module which usually be in zip format that you have downloaded in your system. This completes moving PAM module into your RHEL server.

   

   Figure 4 : Selecting the downloaded CyLock MFA PAM module from the local machine

4. Type’ ls ‘in the terminal, you can see the PAM module in zip format listed as shown in the Figure 5.

   Figure 5: CyLock MFA PAM module for RHEL is uploaded in the server

5. Unzip the zip file using below command. Refer Figure 6.

    sudo unzip CyLock_PAM_RHEL_9_4.zip

   After you unzip the file, you can see an unzipped folder. Refer Figure 6.

   

   Figure 6: Unzip the CyLock MFA PAM module

6. Go to the folder, here you can see the CyLock MFA PAM module installer, uninstaller and readme files. Refer Figure 7.
7. Now you need to run the CyLock PAM installer file to integrate the CyLock PAM Module to the server. For that you need to give executable permission to the PAM installer file using below command.

    sudo chmod a+x *.sh

   

   Figure 7: Giving executable permission to the installer file

8. Before Running the CyLock MFA PAM installer, Login to the CyLock portal. Get Application key and Application ID using which you can integrate the CyLock MFA PAM module to the server. Refer Prerequisites #4 for ‘Securing an Application’ information.
9. Run the cylock_ssh_installer.sh file to install the CyLock MFA PAM module in your RHEL server using below command.

    sudo ./cylock_ssh_installer.sh

   

   Figure 8: Running the CyLock PAM installer

10. While running the PAM installer, this will open CyLock SSH Configuration wizard on the screen. Follow the wizard as shown in the Figures 9 to 15.

    Figure 9: CyLock SSH Configuration setup wizard

    Enter the CyLock Auth Server URL and click OK, as shown in the Figure 10.

    Note: Contact CyLock Support Team to get CyLock Auth Server URL.

    

    Figure 10: Entering Auth Server URL

    Enter the CyLock Auth Server URL and click OK, as shown in the Figure 10.

    

    Figure 11: Entering Application Key

    Copy and paste the Authorization ID that was generated after securing the SSH Application in the CyLock portal and click OK.

    

    Figure 12: Entering Application ID

    Set the Default Authentication option (YES / NO) of your choice:

    •  If you set YES: The default authentication mode you set in the portal will be triggered during SSH login.
    •  If you set NO:Multiple MFA authentication modes will be displayed, allowing you to choose any mode during SSH login.

    Click OK to proceed.

    

    Figure 13: Setting Default Authentication

    Set the Fail mode (ALLOW / DENY) of your choice:

    •  If you set ALLOW: You can log in to RHEL Sever even if CyLock’s authentication server is unreachable.
    •  If you set DENY:You will be unable to log in to RHEL Sever if CyLock’s authentication server is unreachable.

    Click OK to proceed.

    

    Figure 13: Setting Default Authentication

    Set the Default Authentication option (YES / NO) of your choice:

    •  If you set YES: The default authentication mode you set in the portal will be triggered during SSH login.
    •  If you set NO:Multiple MFA authentication modes will be displayed, allowing you to choose any mode during SSH login.

    Click OK to proceed.

    

    Figure 14: Setting Fail mode

    Set whether you want to ALLOW or DENY Device Registration:

    •  ALLOW Device Registration:If an SSH user is created under the SSH application in the CyLock portal but has not done device registration, the terminal will display a device registration code. The user must enter this code into the CyLock MFA Application that installed in mobile to complete device registration and proceed with authentication for SSH login. Device registration can be done during the SSH login process.
    •  DENY Device Registration:If an SSH user is created under the SSH application in the CyLock portal but has not done device registration, the user will not be able to authenticate. Device registration cannot be performed through SSH login.

    Click OK to proceed.

    

    Figure 15: Setting Device Registration

    Once the CyLock SSH Configuration set up wizard is completed, you will get ‘Installation and configuration completed successfully’ success message as shown in the Figure 16.

    

    Figure 16: PAM module installed successfully

Test the Set up

Now, attempt to log in to your server. After the first factor (1FA) is successfully verified, the second factor (2FA) will be triggered based on the user's default authentication method. Since the default authentication mode is set to 'NO,' you will be presented with multiple authentication options, as shown in the Figure 17. You can select any of these modes to complete the 2FA and gain access to RHEL Server.

Supported Authentication options for SSH Login:

CyLock MFA Supports the below Authentication options to login RHEL server through SSH.

1. Online (Push)
2. CR-OTP (Display)
3. CR-OTP (Email)
4. CR-OTP (SMS)
5. POTP ( Email)
6. POTP (SMS)
7. TOTP

•  In the listed authentication options, the '1-Online' (Push) is selected here.


Figure 17: From List of supported Authentication modes, selected 1-Online (push)

You will receive a push notification to your registered mobile as shown in the Figure 18.

•  Click on the received Push notification, it will take you to CyLock MFA App.


Figure 18: Received Push Notification in registered mobile

•  Click to Enter PIN


Figure 19: Clicking on Enter PIN

•  Now it will prompt for entering the PIN that you have set while doing device registration as shown in the Figure 20.


Figure 20: Enter PIN prompt

•  Enter 6 digit PIN you have set and click on tick symbol. Refer Figure 21.


Figure 21: Entering the 6 digit PIN

•  Figure 22 shows the process of Authenticating.


Figure 22: Authentication processing

•  Once the Authentication is done successfully, you can see Success message on the SSH screen as shown in the Figure 23.
•  Press enter to login to the RHEL server.


Figure 23: Authentication Success message

Now you can do SSH Login to the server successfully using CyLock MFA.



Figure 24: Successfully done SSH Login to the RHEL server