Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MFA Cache #319

Closed
kristiyan-erdelski opened this issue Dec 10, 2024 · 1 comment
Closed

MFA Cache #319

kristiyan-erdelski opened this issue Dec 10, 2024 · 1 comment

Comments

@kristiyan-erdelski
Copy link

Summary
It would be great if a cache solution can be implemented in order to prevent back-to-back MFA requests when SSH-ing into a server and then attempting to escalate privileges, forcing another MFA session.

Problem Statement
Currently the flow when doing an authentication request is as such:

  1. SSH into the server with your Entra ID credentials.
  2. You get prompted for MFA.
  3. You successfully authenticate.
  4. When attempting to escalate privileges you once again get prompted to MFA.
  5. You are now root.

This would drastically slow down workflow as it takes about ~30 or so seconds for a user to go through the whole authentication flow.

Proposed Solution
As per our conversation in the Matrix chat, implementing a cache solution to cache users that are part of a specific group to not require MFA would solve the issue. MFA would be requested on initial login and then cached. That being said, it would be great if we can get the Cache TTL within the configuration file so it's not cached indefinitely and cause security concerns.

Benefits
This would improve UX and greatly improve speed.
@dmulder
Copy link
Collaborator

dmulder commented Dec 11, 2024
edited
Loading

After thinking it over, I think this is simply not a good idea.
We shouldn't compromise security for convenience. I could check the IP address from the incoming ssh connection, but this can be spoofed.

There are plenty of alternative configurations to achieve an improved workflow, for example:

  • Hello Key auth. Enable Hello auth, and each user can enroll a PIN code for authenticating to the host. This isn't ideal in my opinion, since it simply circumvents the MFA (after authenticating via MFA once), and is essentially just a local password to the host.
  • RSA Key auth. Have the users run ssh-copy-id <ssh-host>, MFA once, then they will authenticate via their individual rsa key in the future. This is probably the most secure solution.
  • Passwordless auth. This isn't working in Himmelblau yet, but if this is the route you would prefer, then I can pursue implementing it. With passwordless auth, when a user goes to SSH to a host, they are never prompted to enter a password, but ONLY perform MFA. In that case, a user need only enter the entropy code and approve an authentication, if using the MS Authenticator. This might actually be a bit faster than entering a password, but more secure.

In regards to escalating privileges after authentication, this is easily resolved using sudo. Put all your root-permitted users in an Entra Id security group (called Sudoers, perhaps), then on the host run sudo visudo, and add an entry for that security group:

e71148e2-cdd0-4f86-a47e-5d614539bdfa ALL=(ALL:ALL) ALL

Where 'e71148e2-cdd0-4f86-a47e-5d614539bdfa' is the object Id of the security group.

I think I would recommend using passwordless + a suders security group. This would improve the work flow time, while still maintaining a high level of security.

@dmulder dmulder closed this as completed Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmulder @kristiyan-erdelski