mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-18 04:04:39 -05:00
191 lines
7.7 KiB
Markdown
191 lines
7.7 KiB
Markdown
---
|
|
layout: doc
|
|
title: Multifactor Authentication
|
|
permalink: /doc/multifactor-authentication/
|
|
redirect_from:
|
|
- /en/doc/multifactor-authentication/
|
|
- /doc/Multi-factorAuthentication/
|
|
---
|
|
|
|
Using Multi-factor Authentication with Qubes
|
|
============================================
|
|
|
|
(Note: This page concerns multi-factor authentication for logging into external
|
|
services, not for logging into Qubes itself. For the latter, see
|
|
[here][YubiKey].)
|
|
|
|
[Multi-factor authentication (MFA)][MFA] today most commonly takes the form of a
|
|
numerical code generated by a smartphone app or sent via SMS (text message)
|
|
which the user must enter in addition to a password in order to log in to a
|
|
website or other service.
|
|
|
|
One of the primary features of Qubes is that it allows us to create securely
|
|
isolated VMs which can run arbitrary programs. (These VMs are securely isolated
|
|
not only from each other but also, optionally, from the network.) This means
|
|
that we can create a dedicated, network-isolated VM to function as a secure
|
|
authenticator.
|
|
|
|
This guide will show you how to set up a VM which uses [oathtool][], an
|
|
open-source one-time password tool, to generate authentication codes. This
|
|
method presents several benefits over relying on a consumer smartphone app or
|
|
SMS:
|
|
|
|
* `oathtool` includes the [time-based one-time password (TOTP)][TOTP]
|
|
algorithm, which is the same algorithm used by [Google Authenticator][], one
|
|
of the most commonly used authenticator apps. This means that we can use
|
|
`oathtool` as a complete open-source replacement for Google Authenticator
|
|
(which became propriety (closed-source) in May 2013 after version 2.21).
|
|
|
|
* By keeping all of our authenticator data as plain text files in a dedicated
|
|
VM, we have complete control over the secret keys used to generate our
|
|
authentication tokens, and we can back up, copy, and transfer our
|
|
authenticator data at will.
|
|
|
|
* By creating a minimal environment in which to run `oathtool` from the command
|
|
line, we can minimize our attack surface relative to most smartphone apps and
|
|
SMS. Consumer smartphones are typically internet-facing devices which are
|
|
increasingly targeted by malware. Most smartphones are bundled with
|
|
proprietary software which allows service providers almost complete control
|
|
over the device. Likewise, consumer SMS messages are often cleartext
|
|
communications which can feasibly be intercepted and read by third parties.
|
|
(In cases in which SMS messages are encrypted on the network by the service
|
|
provider, the service provider itself still has full access, which means that
|
|
the contents of such messages could be read by unscrupulous admins or turned
|
|
over to government agencies.)
|
|
|
|
* Using `oathtool` in a dedicated, network-isolated Qubes VM allows us to
|
|
achieve a unique combination of security and convenience. The strong isolation
|
|
Qubes provides allows us to reap the full security benefits of MFA, while
|
|
virtualization frees us from having to worry about finding and handling a
|
|
second physical device.
|
|
|
|
|
|
Optional Preparation Steps
|
|
--------------------------
|
|
|
|
1. Start with a minimal template. In this example, we'll use the
|
|
[minimal Fedora template][FedoraMinimal]. Get it if you haven't already done
|
|
so:
|
|
|
|
[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-30-minimal
|
|
|
|
2. Since we'll be making some modifications, you may want to clone the minimal
|
|
template:
|
|
|
|
[user@dom0 ~]$ qvm-clone fedora-30-minimal fedora-30-min-mfa
|
|
|
|
3. To open a root shell on the minimal template (for details, see [Passwordless Root]), run the following command:
|
|
|
|
[user@dom0 ~]$ qvm-run -u root fedora-30-min-mfa xterm
|
|
|
|
4. Since this is going to be a minimal environment in which we run `oathtool`
|
|
from the command line, we'll install only a couple of packages:
|
|
|
|
[root@fedora-30-min-mfa ~]# dnf install oathtool vim-minimal
|
|
[root@fedora-30-min-mfa ~]$ poweroff
|
|
|
|
5. Create an AppVM and set it to use the TemplateVM we just created:
|
|
|
|
[user@dom0 ~]$ qvm-create -l black mfa
|
|
[user@dom0 ~]$ qvm-prefs -s mfa template fedora-30-min-mfa
|
|
|
|
6. Isolate the new AppVM from the network:
|
|
|
|
[user@dom0 ~]$ qvm-prefs -s mfa netvm none
|
|
|
|
|
|
Using the MFA AppVM
|
|
-------------------
|
|
|
|
Now that we have an AppVM set up to use `oathtool` securely, let's use it with
|
|
an external service. This process will vary slightly from service to service but
|
|
is largely the same.
|
|
|
|
1. Proceed with setting up multi-factor authentication as you normally would.
|
|
If you are prompted to scan a QR code, instead select the option (if
|
|
available) to view the secret key as text:
|
|
|
|
![Secret Key Example 0](/attachment/wiki/Multi-factorAuthentication/secret-key-example-0.png)
|
|
|
|
You should then see the secret key as text:
|
|
|
|
![Secret Key Example 1](/attachment/wiki/Multi-factorAuthentication/secret-key-example-1.png)
|
|
|
|
Note that the length and format of the secret key may vary by service:
|
|
|
|
![Secret Key Example 2](/attachment/wiki/Multi-factorAuthentication/secret-key-example-2.png)
|
|
|
|
2. In your MFA AppVM, you can now use `oathtool` to generate base32 TOTP
|
|
authentication tokens just like Google Authenticator would. In this example,
|
|
we'll use the secret key `xd2n mx5t ekg6 h6bi u74d 745k n4m7 zy3x` from the
|
|
second image above (substitute your own):
|
|
|
|
[user@mfa ~]$ oathtool --base32 --totp "xd2n mx5t ekg6 h6bi u74d 745k n4m7 zy3x"
|
|
279365
|
|
|
|
The output is `279365`. This is what you would enter when prompted for an
|
|
authenticator code. (Note that this is a *time*-based one-time password,
|
|
which means that your VM's clock must be sufficiently accurate in order to
|
|
generate a valid token. Qubes handles VM time syncing automatically, so you
|
|
normally shouldn't have to worry about this. As usual, the token will change
|
|
after a short period of time.)
|
|
|
|
3. To make this easier on ourselves in the future, we can create a simple shell
|
|
script for each service we use. (The example service here is a Google
|
|
account, using the example key from above. You'll get a unique secret key
|
|
from each service.) Create the script like so:
|
|
|
|
[user@mfa ~]$ > google
|
|
[user@mfa ~]$ vi google
|
|
|
|
#!/usr/bin/env bash
|
|
##My Google Account
|
|
##me@gmail.com
|
|
oathtool --base32 --totp "xd2n mx5t ekg6 h6bi u74d 745k n4m7 zy3x"
|
|
|
|
[user@mfa ~]$ chmod +x google
|
|
|
|
Since the secret key stored in the script never changes, we should never
|
|
have to update this script, but we can easily do so if we ever want to.
|
|
|
|
4. Now, whenever Google prompts us for an authenticator code, all we have to do
|
|
is this:
|
|
|
|
[user@mfa ~]$ ./google
|
|
640916
|
|
|
|
Done!
|
|
|
|
5. Now you can create scripts for any other TOTP-supporting services you use,
|
|
and enjoy the security and ease of quickly generating authentication tokens
|
|
right from your Qubes VM command-line:
|
|
|
|
[user@mfa ~]$ ./github
|
|
495272
|
|
[user@mfa ~]$ ./aws
|
|
396732
|
|
[user@mfa ~]$ ./facebook
|
|
851956
|
|
[user@mfa ~]$ ./dropbox
|
|
294106
|
|
[user@mfa ~]$ ./microsoft
|
|
295592
|
|
[user@mfa ~]$ ./slack
|
|
501731
|
|
[user@mfa ~]$ ./wordpress
|
|
914625
|
|
[user@mfa ~]$ ./tumblr
|
|
701463
|
|
|
|
For a more complete list of compatible services, see [here][usage].
|
|
|
|
|
|
[YubiKey]: /doc/YubiKey/
|
|
[MFA]: https://en.wikipedia.org/wiki/Multi-factor_authentication
|
|
[oathtool]: http://www.nongnu.org/oath-toolkit/man-oathtool.html
|
|
[TOTP]: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
|
|
[Google Authenticator]: https://en.wikipedia.org/wiki/Google_Authenticator
|
|
[FedoraMinimal]: /doc/Templates/FedoraMinimal/
|
|
[usage]: https://en.wikipedia.org/wiki/Google_Authenticator#Usage
|
|
[Passwordless Root]: /doc/templates/minimal/#passwordless-root
|