Best Practices for 2-Factor Authentication and Password Creation on Linux
As we mentioned in the previous article, web browsers present the largest and the most exposed attack surface on your Linux workstation. We’ve already discussed some best practices that Linux sysadmins can follow to reduce the impact of a compromised browser, such as upgrading to Wayland, using a different browser for work/high-security sites, and using Firejail to create a sandbox around Linux applications.
This time, we’ll cover a few more best practices involving 2-factor authentication and password creation and use.
Use Fido U2F for website 2-factor authentication
Fido U2F is a standard developed specifically to provide a mechanism for 2-factor authentication and combat credential phishing. Regular OTP (one-time password) mechanisms are ineffective in the case where the attacker is able to trick you into submitting your password and token into a malicious site masquerading as a legitimate service.
The U2F protocol will store site authentication data on the USB token that will prevent you from accidentally giving an attacker both your password and your one-time token if you try to use it on anything other than the legitimate website. See the following site for a curated list of services providing Fido U2F support:
Note, that not all browsers currently support U2F-capable hardware tokens, and if you use sandboxes or virtualization-based isolation around your browser, you may have to work extra hard to enable USB pass-through from the application to your USB token.
Using strong, unique, randomly generated passwords should be a critical requirement for every member of your team. Credential theft is happening all the time — either via compromised computers, stolen database dumps, remote site exploits, or any number of other means. No credentials should be reused across different sites, ever.
In-browser password manager
Every browser has a mechanism for saving passwords that is fairly secure and can sync with vendor-maintained cloud storage while keeping the data encrypted with a user-provided passphrase. However, this mechanism has important disadvantages:
1. It does not work across browsers
2. It does not offer any way of sharing credentials with team members
Several well-supported, free or cheap password managers are well integrated into multiple browsers, work across platforms, and offer group sharing (usually as a paid service). Solutions can be easily found via search engines.
Standalone password manager
One of the major drawbacks of any password manager that comes integrated with the browser is the fact that it’s part of the application that is most likely to be attacked by intruders. If this makes you uncomfortable (and it should), you may choose to have two different password managers — one for websites that is integrated into your browser, and one that runs as a standalone application. The latter can be used to store high-risk credentials, such as root passwords, database passwords, other shell account credentials, etc.
It may be particularly useful to have such tool for sharing superuser account credentials with other members of your team (server root passwords, ILO passwords, database admin passwords, bootloader passwords, etc.).
A few tools can help you:
• KeePassX, which improves team sharing in version 2
• Pass, which uses text files and PGP and integrates with Git
• Django-Pstore, which uses GPG to share credentials between admins
• Hiera-Eyaml, which, if you are already using Puppet for your infrastructure, may be a handy way to track your server/service credentials as part of your encrypted Hiera data store
The next, and final, article of this series will cover how to secure SSH and PGP private keys -- another essential step in guarding your Linux sysadmin workstation from potential attackers.