Two-factor authentication setup in OS ROSA Desktop Fresh R9

From Rosalab Wiki
Revision as of 18:12, 25 December 2017 by Juliette (Talk | contribs) (List of supported ROSA versions:)

This is a page snapshot, showing old (but not deleted) versions of images and templates.
Jump to: navigation, search

Two-factor authentication setup in OS ROSA Desktop Fresh R9

Every security administrator is very well aware of the fact that a lengthy password is not more secure than a shorty one, not at all. Better security requires two-factor authentication. Many people are already familiar with it (2FA) since the online shopping process with a credit card requires not only a simple Cv2 code but often a single use text message from the bank security system or some other additional authentication factor (howdy, fingerprint authentication?).

Of course, the data on the hard disk of stolen from you laptop cannot be protected that way, we need a cryptography here, but, if somebody is trying to spot your password from behind your shoulder in order to use it later — the 2FA is a right choice.

So, what do you need to set up the 2FA in ROSA? Up to a challenge? Follow the lengthy instruction below!

Применимость

Use cases

Назначение Инструкция предназначена для описания процесса настройки двухфакторной аутентификации (2FA) в ОС ROSA Desktop Fresh R9.

_______________________________________________________________________________________________

Why do you need the two-factor authentication and what is its purpose?

Two-factor authentication (multi-factor authentication) its a tool to make the login process (and many other use cases which require the verification of certain identity) more secure. Every time you use the two-factor authentication, this makes your password security much more higher compared to simply entering the password.


Пароль требуется для того, чтобы: User passwords are needed for: осуществить штатный вход в графическую оболочку ОС; Everyday logging into OS GUI mode разблокировать компьютер (ноутбук) при работающем хранителе экрана; Unlock the screen after the screensaver blocked it осуществить повторный вход (скажем, требуется войти в систему параллельно еще раз); Parallell login (i.e. into the virtual console) осуществить удаленное подключение к операционной системе (например по протоколу SSH); Remote login into the system (i.e. using the SSH) осуществить вход в текстовый терминал getty (ALT+F2...F6); Login to the virtual console getty (ALT+F2...F6) переключить контекст пользователя - если нужно использовать su, sudo и выполнить действия от имени другого пользователя или администратора root.

Switch the user context, i.e. use su, sudo to perform some actions with the credentials of some different user

Now imagine the situation: Suppose you suspect your password was stolen but you are unable to change it immediately by some reason

Somebody is watching you from behind your shoulder or with the mirror while you are entering your actual password

Suppose your password was stolen while you were entering the keyboard symbols trying to connect to your home machine over SSH from an Internet café or from some friend's computer, and the stolen password can now be used by an intruder.

The Internet is full of easy to use free software for password interception, which catches the entered symbols from your keyboard and write them into the file, and the file can be copied or transferred somewhere else afterwards.

The attacker can easily buy a keyboard specially designed to intercept the entered symbols and write them down to embedded USB stick. In the Internet are also available the USB switchers which do the same (or the attacker can solder it by itself using some spare parts etc)

You think your password is too simple or too obvious and can be mentally brute forced by some iron bad guys from he Megatron series.


In all the cases above the two-factor authentication can really help. And to know how to implement it you just have to read thorough out howto. By the end of it you'll become a wise security expert who just laughs in the face of a password guessing bot trying to break into your system.

The multi-factor authentication (and the two-factor authentication thereof) is based on the statement which says that for an user to establish their identity there must be present a combination of a few correctly supplied factors:

  • some secret known to the user, such as a password
  • some physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc.
  • some physical characteristic of the user, such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc. In this case we are talking about biometrical authentication or the biometrics.


In ROSA Desktop Fresh R9 we recommend a two-factor authentication with the one-time TOTP passwords valid for only 30 seconds. We consider this implementation to be the most acceptable and comfortable for the users.

This implementation does not require some complex configurations and tuning or some rare software or hardware. Also note that two-factor authentication will not require the Internet connection to function.

List of supported ROSA versions:

At the moment the following versions are supported (earlier versions are not supported):

  • ROSA Desktop Fresh R9 GNOME
  • ROSA Desktop Fresh R9 KDE (plasese shift the garphical login manager from KDM to LightDM);
  • ROSA Desktop Fresh R9 PLASMA (plasese shift the garphical login manager from SDDM to LightDM);
  • Any ROSA (Fresh/RED) based on 2014.1 or 2016.1 with GDM or LightDM graphical login managers.

Installation prerequisites and requirements

  • The package google-authenticator from the ROSA repositories/
  • Mobile phone (a smartphone) or a tablet (Windows Phone©, Android© or Apple© iOS©) which will be turned into a token with the key and will generate the one-time passwords.
  • The clocks on both devices must be synchronized, that's a critical factor, only very subtle shift in time is allowed between the two devices.
  • For the clock syncing you should use the NTP internet time servers, for example ntp.rosalinux.ru and ntp2.rosalinux.ru or any other NTS servers of your choice.
  • Tin foil cap (a joke)