Skip to content
English
Sign in
Open/Manage Support Request
  • There are no suggestions because the search field is empty.

Creating an SSH-MFA Rule

Enforce Multifactor Authentication when accessing servers or containers protected by ZeroLock®.

    SSH-MFA (Secure Shell Multi-Factor Authentication) can restrict SSH access on your ZeroLock-protected Linux system and enables the ability to require two-factor authentication for user connections.

    Note: Effective with ZMC v3.2.1 SSH-MFA resolution will be performed at the agent level, allowing SSH-MFA to no longer require the connection to the ZMC to provide authentication. This will reduce the risk of ZMC communication issues and the user being unable to SSH to a protected endpoint. 

     

    Rule Creation

    1. From the ZeroLock® Management Console, select Control Policies | Rules, then ADD Rules from the ACTIONS drop-down menu.
      Image_1_Add New Rule v1.4.21_v4.1

    2. Selecting Add New Rule from the drop-down menu opens the following screen.

      Image_2_SSHMFA Rule Type_v4.1

    3. Clicking the DATE/TIME Restrict checkbox expands the screen.Image_3_Date Time Restrict_v4.1
    4. The chart below this image guides you through filling in the required information for a new policy rule.
      Image_4_Filling Out New Rule_v4.1


      Name

      The name that describes the Rule being created. 

      Descriptive Naming will be helpful as Rules are added to the policy.

      Description

      An informative description of the rule's purpose.

      Rule Type

      SSH-MFA

      IP Address 

      Adding an IP Address to the rule will check the source IP address logging into a protected system. The IP address may be a single IPV4 or IPV6 address or it may also be an IPV4 or IPV6 CIDR range.

      If you want the source IP address to be ignored for this rule, just put 'ANY' in the field.

      Note:  This is an optional field.

      User

      You can specify that the rule triggers if a specific Linux user tries to log into the system. For example, if 'root' is in this field, the rule will trigger when someone attempts to log in as the 'root' user.

      Note:  This is an optional field.

      Day/Time

      A time range and the days that a rule is effective can be specified. The rule will be effective for all days if no days are selected.

      Active Dates (Start/End)

      You may optionally specify the start and end date of a rule.

      Active Days

       The days that this rule will be active. 

      Time Window

       Using a 24-hour clock, the times that the rule will be active. 

      Action

      You must specify the action taken if this rule is triggered. 

      The options are AllowAuthenticate, or Reject.

      • Allow - the SSH session to continue as normal.
      • Authenticate - causes the SSH session to be subject to MFA.
      • Reject - terminates the session immediately.

      Create

      Creates the rule.
    5. Selecting CREATE activates the new SSH-MFA rule, rejecting any connection attempts on the weekends.

      Image_5_CREATE_v4.1
    6. Congratulations! You have just created a new SSH-MFA rule.
      Image_6_New SSH MFA Rule Listed_v4.1