Authentication
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Authentication

      Forcing SSH-MFA Two-Factor Authentication

      How-to force Multifactor Authentication when someone uses SSH to access a server or container protected by ZeroLock®.

        Ensuring usage of SSH-MFA two-factor authentication, requires a multi-step process simplified by the ZeroLock Management Console (ZMC).

        Create and Add a New Rule

        1. In the ZeroLock Management Console (ZMC) go to the Control Policies | Rules page then click Actions | Add New Rule
          Step_1_Add New Rule Selection

        2. On the Add New Rule screen, complete the items using the table below.  When done click CREATE.

          Rule Name  

          Authenticate all SSH connections

          Description              

          This rule will force SSH MFA for all assigned Endpoints

          Rule Type

          SSH-MFA

          IP Address

          Leave as default

          Day/Time

          Leave as default

          Start/End

          Leave as default

          Action

          Authenticate
        Step_2_Create New Policy Rule

        Create a New Control Policy 

        1. As shown below, go to the Control Policies | Policies page and click Add New Policy. 
          Step_1_Policies Window

        2. Using the table, complete the required entries.   

          Name

          Force SSH Authentication

          Description

          This policy will force SSH authentication to all assigned endpoints.

          Add Rules

          Clicking the Add Rules button brings up the Policy Rules screen.
          Step_2_New Policy screen

        3. On the Policy Rules screen, use the TYPE drop-down menu to select the type of rule you want.  Select SSH-MFA to bring up all those rules.Step_3_Rule Selection
        4. Scroll down until you locate the newly created rule, Force SSH Authentication, click the checkbox to select that rule, and then click ADD SELECTED. Step_4_SSH Rule Selected
        5. Clicking the Add Selected button returns you to the New Policy screen where selecting the CREATE button completes the creation of the new policy. 

          Step_5_Create


        Create a New Endpoint Configuration Profile

        1. Go to the System Configuration | Config Profiles page and click Add New Profile.

          Step_1_Config Profile Window

        2. Using the table, complete the required entries then click CREATE.

          Name

          Force SSH MFA and default settings

          Description

          This configuration restricts authentication while using all other defaults.

          Default Control Policy

          Force SSH Authentication
        Step_2_New Config Profile-1

         

        Assign the Configuration Profile to an Endpoint

        1. Select Endpoints from the menu then the endpoint(s) to which you want to assign the new configuration policy. Click on the Actions drop-down and select Set Endpoint Config(s).
          Step_1_Endpoints Window

        2. Select the new configuration: Force SSH MFA and default settings and click Set Configs.


        3. From the Endpoints screen, you should be able to see the assigned Profile.
          Step_3_Profile Applied-1

        Test the SSH MFA Authentication Configuration

        SSH to the assigned endpoint to verify that the two-factor authentication requirement works.

        Test SSH MFA Config-1