# TSYS Two-Factor Authentication Implementation Guide ## Overview This guide provides complete instructions for implementing and managing two-factor authentication (2FA) on TSYS servers using Google Authenticator (TOTP). ## What This Implementation Provides ### Services Protected by 2FA - **SSH Access:** Requires SSH key + 2FA token - **Cockpit Web Interface:** Requires password + 2FA token - **Webmin Administration:** Requires password + 2FA token (if installed) ### Security Features - **Time-based One-Time Passwords (TOTP):** Standard 6-digit codes - **Backup Codes:** Emergency access codes - **Gradual Rollout:** Optional nullok mode for phased deployment - **Configuration Backup:** Automatic backup of all configs ## Implementation Steps ### Step 1: Run the 2FA Setup Script ```bash # Navigate to the security modules directory cd ProjectCode/Modules/Security # Run the 2FA setup script as root sudo bash secharden-2fa.sh ``` ### Step 2: Validate Installation ```bash # Run 2FA validation tests ./Project-Tests/security/2fa-validation.sh # Run specific 2FA security test ./Project-Tests/run-tests.sh security ``` ### Step 3: Setup Individual Users For each user that needs 2FA access: ```bash # Check setup instructions cat /home/username/2fa-setup-instructions.txt # Run user setup script sudo /tmp/setup-2fa-username.sh ``` ### Step 4: Test 2FA Access 1. **Test SSH access** from another terminal 2. **Test Cockpit access** via web browser 3. **Test Webmin access** if installed ## User Setup Process ### Installing Authenticator Apps Users need one of these apps on their phone: - **Google Authenticator** (Android/iOS) - **Authy** (Android/iOS) - **Microsoft Authenticator** (Android/iOS) - **1Password** (with TOTP support) ### Setting Up 2FA for a User 1. **Run setup script:** ```bash sudo /tmp/setup-2fa-username.sh ``` 2. **Follow prompts:** - Answer "y" to update time-based token - Scan QR code with authenticator app - Save emergency backup codes securely - Answer "y" to remaining security questions 3. **Test immediately:** ```bash # Test SSH from another terminal ssh username@server-ip # You'll be prompted for 6-digit code ``` ## Configuration Details ### SSH Configuration Changes File: `/etc/ssh/sshd_config` ``` ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive ``` ### PAM Configuration File: `/etc/pam.d/sshd` ``` auth required pam_google_authenticator.so nullok ``` ### Cockpit Configuration File: `/etc/cockpit/cockpit.conf` ``` [WebService] LoginTitle = TSYS Server Management LoginTo = 300 RequireHost = true [Session] Banner = /etc/cockpit/issue.cockpit IdleTimeout = 15 ``` ### Webmin Configuration File: `/etc/webmin/miniserv.conf` ``` twofactor_provider=totp twofactor=1 ``` ## Security Considerations ### Gradual vs Strict Enforcement #### Gradual Enforcement (Default) - Uses `nullok` option in PAM - Users without 2FA can still log in - Allows phased rollout - Good for initial deployment #### Strict Enforcement - Remove `nullok` from PAM configuration - All users must have 2FA configured - Immediate security enforcement - Risk of lockout if misconfigured ### Backup and Recovery #### Emergency Access - **Backup codes:** Generated during setup - **Root access:** Can disable 2FA if needed - **Console access:** Physical/virtual console bypasses SSH #### Configuration Backup - Automatic backup to `/root/backup/2fa-TIMESTAMP/` - Includes all modified configuration files - Can be restored if needed ## Troubleshooting ### Common Issues #### 1. User Cannot Generate QR Code ```bash # Ensure qrencode is installed sudo apt-get install qrencode # Re-run user setup sudo /tmp/setup-2fa-username.sh ``` #### 2. SSH Connection Fails ```bash # Check SSH service status sudo systemctl status sshd # Test SSH configuration sudo sshd -t # Check logs sudo journalctl -u sshd -f ``` #### 3. 2FA Code Not Accepted - **Check time synchronization** on server and phone - **Verify app setup** - rescan QR code if needed - **Try backup codes** if available #### 4. Locked Out of Server ```bash # Access via console (physical/virtual) # Disable 2FA temporarily sudo cp /root/backup/2fa-*/pam.d.bak/sshd /etc/pam.d/sshd sudo systemctl restart sshd ``` ### Debug Commands ```bash # Check 2FA status ./Project-Tests/security/2fa-validation.sh # Check SSH configuration sudo sshd -T | grep -E "(Challenge|PAM|Authentication)" # Check PAM configuration cat /etc/pam.d/sshd | grep google-authenticator # Check user 2FA status ls -la ~/.google_authenticator ``` ## Management and Maintenance ### Adding New Users 1. Ensure user account exists 2. Run setup script for new user 3. Provide setup instructions 4. Test access ### Removing User 2FA ```bash # Remove user's 2FA configuration sudo rm /home/username/.google_authenticator # User will need to re-setup 2FA ``` ### Disabling 2FA System-Wide ```bash # Restore original configurations sudo cp /root/backup/2fa-*/sshd_config.bak /etc/ssh/sshd_config sudo cp /root/backup/2fa-*/pam.d.bak/sshd /etc/pam.d/sshd sudo systemctl restart sshd ``` ### Updating 2FA Configuration ```bash # Re-run setup script sudo bash secharden-2fa.sh # Validate changes ./Project-Tests/security/2fa-validation.sh ``` ## Best Practices ### Deployment Strategy 1. **Test in non-production** environment first 2. **Enable gradual rollout** (nullok) initially 3. **Train users** on 2FA setup process 4. **Test emergency procedures** before strict enforcement 5. **Monitor logs** for authentication issues ### Security Recommendations - **Enforce strict mode** after successful rollout - **Regular backup code rotation** - **Monitor failed authentication attempts** - **Document emergency procedures** - **Regular security audits** ### User Training - **Provide clear instructions** - **Demonstrate setup process** - **Explain backup code importance** - **Test login process with users** - **Establish support procedures** ## Monitoring and Logging ### Authentication Logs ```bash # SSH authentication logs sudo journalctl -u sshd | grep -i "authentication" # PAM authentication logs sudo journalctl | grep -i "pam_google_authenticator" # Failed login attempts sudo journalctl | grep -i "failed" ``` ### Security Monitoring - Monitor for repeated failed 2FA attempts - Alert on successful logins without 2FA (during gradual rollout) - Track user 2FA setup completion - Monitor for emergency access usage ## Integration with Existing Systems ### LDAP/Active Directory - 2FA works with existing authentication systems - Users still need local 2FA setup - Consider centralized 2FA solutions for large deployments ### Monitoring Systems - LibreNMS: Will continue to work with SNMP - Wazuh: Will log 2FA authentication events - Cockpit: Enhanced with 2FA protection ### Backup Systems - Ensure backup procedures account for 2FA - Test restore procedures with 2FA enabled - Document emergency access procedures ## Support and Resources ### Files Created by Setup - `/tmp/setup-2fa-*.sh` - User setup scripts - `/home/*/2fa-setup-instructions.txt` - User instructions - `/root/backup/2fa-*/` - Configuration backups ### Validation Tools - `./Project-Tests/security/2fa-validation.sh` - Complete 2FA validation - `./Project-Tests/run-tests.sh security` - Security test suite ### Emergency Contacts - System Administrator: [Contact Info] - Security Team: [Contact Info] - 24/7 Support: [Contact Info] ## Compliance and Audit ### Security Benefits - Significantly reduces risk of unauthorized access - Meets multi-factor authentication requirements - Provides audit trail of authentication events - Complies with security frameworks (NIST, ISO 27001) ### Audit Trail - All authentication attempts logged - 2FA setup events recorded - Configuration changes tracked - Emergency access documented --- **Last Updated:** July 14, 2025 **Version:** 1.0 **Author:** TSYS Security Team