Enforce Multifactor Authentication when accessing servers or containers protected by ZeroLock®.
SSH-MFA (Secure Shell Multi-Factor Authentication) can restrict SSH access on your ZeroLock-protected Linux system and enables the ability to require two-factor authentication for user connections.
Note: Effective with ZMC v3.2.1 SSH-MFA resolution will be performed at the agent level, allowing SSH-MFA to no longer require the connection to the ZMC to provide authentication. This will reduce the risk of ZMC communication issues and the user being unable to SSH to a protected endpoint.
Rule Creation
- From the ZeroLock® Management Console select Control Policies | Rules, then ADD Rules from the ACTIONS drop-down menu.
- Selecting Add New Rule from the drop-down menu opens the following screen.
- Clicking the DATE/TIME Restrict checkbox expands the screen fully.
- The chart below this image guides you through filling in the required information for a new policy rule.
Name
The name that describes the Rule being created.
Descriptive Naming will be helpful as Rules are added to the policy.
Description
An informative description of the rule's purpose.
Rule Type
SSH-MFA
IP Address
Adding an IP Address to the rule will check the source IP address logging into a protected system. The IP address may be a single IPV4 or IPV6 address or it may also be an IPV4 or IPV6 CIDR range.
If you want the source IP address to be ignored for this rule, just put 'ANY' in the field.
Note: This is an optional field.
User
You can specify that the rule triggers if a specific Linux user tries to log into the system. For example, if 'root' is in this field, the rule will trigger when someone attempts to log in as the 'root' user.
Note: This is an optional field.
Day/Time
A time range and the days that a rule is effective can be specified. The rule will be effective for all days if no days are selected.
Active Dates (Start/End)
You may optionally specify the start and end date of a rule.
Active Days
The days that this rule will be active.
Time Window
Using a 24-hour clock, the times that the rule will be active.
Action
You must specify the action taken if this rule is triggered.
The options are Allow, Authenticate, or Reject.
- Allow - the SSH session to continue as normal.
- Authenticate - causes the SSH session to be subject to MFA.
- Reject - terminates the session immediately.
Create
Creates the rule.
- Selecting CREATE activates the new SSH-MFA rule rejecting any connection attempts on the weekends.
- Congratulations! You have just created a new SSH-MFA rule.