Facebook Icon Facebook Icon Twitter Icon Twitter Icon Linkedin Icon Linkedin Icon Blog Icon Blog Icon Checkmark Icon Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Clock Icon Clock Icon Cloud Icon Cloud Icon Cloud Upload Icon Cloud Upload Icon Compass Icon Compass Icon Medium count 1 Icon Medium count 1 Icon Medium count 2 Icon Medium count 2 Icon Medium count 3 Icon Medium count 3 Icon Medium count 4 Icon Medium count 4 Icon Medium count 5 Icon Medium count 5 Icon Medium count 6 Icon Medium count 6 Icon Medium count 7 Icon Medium count 7 Icon Medium count 8 Icon Medium count 8 Icon Medium count 9 Icon Medium count 9 Icon Medium count 10 Icon Medium count 10 Icon Medium count 11 Icon Medium count 11 Icon Medium count 12 Icon Medium count 12 Icon Medium count 13 Icon Medium count 13 Icon Medium count 14 Icon Medium count 14 Icon Medium count 15 Icon Medium count 15 Icon Device with a checkmark Icon Device with a checkmark Icon Device Icon Device Icon Documentation Icon Documentation Icon Dollar Sign Icon Dollar Sign Icon Extend Icon Extend Icon Eye Icon Eye Icon Gear Icon Gear Icon Globe Icon Globe Icon Graph Icon Graph Icon Guidelines Icon Guidelines Icon Laptop Icon Laptop Icon Layers with checkmark Icon Layers with checkmark Icon Key Icon Key Icon Lock Icon Lock Icon Paper Airplane Icon Paper Airplane Icon Pencil Icon Pencil Icon Phone Icon Phone Icon Reliability Icon Reliability Icon Reset Icon Reset Icon Shield with Checkmark Icon Shield with Checkmark Icon Timer Icon Timer Icon Tools Icon Tools Icon Tutorial Icon Tutorial Icon Upload Icon Upload Icon User with Checkmark Icon User with Checkmark Icon User Icon User Icon Wallet Icon Wallet Icon Case Study Icon Case Study Icon Video Icon Video Icon White Paper Icon White Paper Icon

Add two-factor authentication to your ssh in 30 seconds.

TL:DR: Jump to the bottom to see the video and install it using:

We love SSH here at Authy. We use it for practically everything: git, remote shell’s access, deployment scripts and even pair programming.

Installation.


$ curl 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh
$ sudo bash authy-ssh install /usr/local/bin
$ sudo /usr/local/bin/authy-ssh enable `whoami` <your-email> <your-country-code> <your-cellphone>
$ authy-ssh test
$ sudo service ssh restart

However keeping it secure yet accessible for everyone turned out to be quite a challenge. At first we used X.509 certificates on authorized_keys and we instructed everyone to protect their private certificates with a password. However using multiple certificates each with a different password quickly became unmanageable. Reluctantly we resorted to a single certificate per user with a password. However this is far from ideal. If employee machine got hacked, the hacker could steal his certificate and easily use a keylogger to steal the password. And with the password and certificate in hand, he would have access to virtually everything (including our source code through git-ssh).

We looked for other possibilities, but they all looked like a lot of work. Finally we decided to reuse our API to add two-factor authentication to all of the machines. We hacked a quick bash script to connect to our API and used the SSH ForceCommand directive to run this script before each login. The script verifies the user token and if correct initiates the session. This meant that we could use multiple certificates again, but without requiring everyone to protect them with password’s. Best of all, if anyone stole a certificate they still wouldn’t be able to access any of the machines, as they would still require the One-Time-Password generated by the Authy App.

We knew we couldn’t be the only one who wanted this, so we made a new version that everyone can install in less than 30 seconds. Let us know if you find it as useful as we do. The whole source code is on Github: https://github.com/authy/authy-ssh. Feel free to fork it and modify it as you wish. We wrote it in bash because we hate compiling things and this meant it would run everywhere without special voodoo.

Also in the next few weeks we’ll be releasing our chef recipes we use internally, as well as some tips on how to scale this, so you can add it to 1 or 1 million machines. However if you can’t wait, it should be quite easy to quickly hack this version to fit your company needs. As always simply e-mail us to [email protected] or join our campfire chat if you need help: https://authy.campfirenow.com/1c6c4.

By the way, we made a small video you can see it in action, you can watch it below in full screen.