Creating an SSH-MFA Rule

Enforce Multifactor Authentication when accessing servers or containers protected by ZeroLock®.

    SSH-MFA (Secure Shell Multi-Factor Authentication) can restrict SSH access on your ZeroLock-protected Linux system and enables the ability to require two-factor authentication for user connections.

    Note: Effective with ZMC v3.2.1 SSH-MFA resolution will be performed at the agent level, allowing SSH-MFA to no longer require the connection to the ZMC to provide authentication. This will reduce the risk of ZMC communication issues and the user being unable to SSH to a protected endpoint. 

     


    Rule Creation

    1. From the ZeroLock® Management Console select Control Policies | Rules, then ADD Rules from the ACTIONS drop-down menu.
      Step_1_A_Add New Rule v3.2.2

    2. Selecting Add New Rule from the drop-down menu opens the following screen.

      Step_1_B_Rule Type Dropdown_SSHMFA

    3. Clicking the DATE/TIME Restrict checkbox expands the screen fully.Step_1_C_Time Resctrictions
    4. The chart below this image guides you through filling in the required information for a new policy rule.
      Step_4_New Policy Rule Explained


      Name

      The name that describes the Rule being created. 

      Descriptive Naming will be helpful as Rules are added to the policy.

      Description

      An informative description of the rule's purpose.

      Rule Type

      SSH-MFA

      IP Address 

      Adding an IP Address to the rule will check the source IP address logging into a protected system. The IP address may be a single IPV4 or IPV6 address or it may also be an IPV4 or IPV6 CIDR range.

      If you want the source IP address to be ignored for this rule, just put 'ANY' in the field.

      Note:  This is an optional field.

      User

      You can specify that the rule triggers if a specific Linux user tries to log into the system. For example, if 'root' is in this field, the rule will trigger when someone attempts to log in as the 'root' user.

      Note:  This is an optional field.

      Day/Time

      A time range and the days that a rule is effective can be specified. The rule will be effective for all days if no days are selected.

      Active Dates (Start/End)

      You may optionally specify the start and end date of a rule.

      Active Days

       The days that this rule will be active. 

      Time Window

       Using a 24-hour clock, the times that the rule will be active. 

      Action

      You must specify the action taken if this rule is triggered. 

      The options are AllowAuthenticate, or Reject.

      • Allow - the SSH session to continue as normal.
      • Authenticate - causes the SSH session to be subject to MFA.
      • Reject - terminates the session immediately.

      Create

      Creates the rule.

    5. Selecting CREATE activates the new SSH-MFA rule rejecting any connection attempts on the weekends.

      Step_5_New Policy Rule Create-1
    6. Congratulations! You have just created a new SSH-MFA rule.
      Step_6_Policy Rule Created_KB