?SD-WAN: Adding OTP to a Fusion SD-WAN container
Containers are a great tool in an SD-WAN and on Fusion we use them to configure VPN concentrators as described in this article: Implementing OpenConnect VPN on Fusion SD-WAN. The VPN implements OTP and we can also add OTP the the container login itself.
First add the OTP software:
sudo apt-get update
sudo apt-get install libpam-google-authenticator
Run google authenticator to configure it which also includes some additional security features:
google-authenticator
The above will include a QR code to use on Microsoft Authenticator for the OTP.
Now configure OpenSSH:
sudo nano /etc/pam.d/sshd
Add the following line to the bottom of the file.
. . .
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok
sudo nano /etc/ssh/sshd_config
. . . # Change to yes to enable challenge-response passwords (beware issues with# some PAM modules and threads)ChallengeResponseAuthentication yes
Now restart:
sudo systemctl restart sshd.service
You should be able to login use the password and OTP.
As a fallback to access the container you can use the SD-WAN edge:
sudo machinectl login container
If you would like to reuse this method with the same secret on another server just copy and use ~/.google_authenticator
* Ronald works connecting Internet inhabiting things at Fusion Broadband.