Pritunl Zero Two-Factor Authentication Released

Pritunl
3 min readJan 4, 2018

Support for two-factor authentication has been added to Pritunl Zero. This allows two-factor authentication to be added to SSH or web services. Host SSH certificates are also now available along with support for bastion SSH servers.

Two-Factor Authentication

The new two-factor authentication support allows adding an additional layer of authentication to the primary authentication. This includes Google, OneLogin, Okta and local users. Currently Duo, OneLogin Protect and Okta Verify are supported as two-factor providers. Duo supports push, phone, passcode and sms factors. OneLogin and Okta support push and passcode. Two-factor authentication can be selectively required for admin, user, service and authority (SSH) authentications using policies. More information on configuring two-factor SSH authentication can be found in the documentation.

SSH Host Certificates

Host SSH certificates allow users to validate the authenticity of the SSH server to prevent man-in-the-middle attacks. Options to enable strict host checking have also been added to the authority settings. This will prevent the user from connecting to a server in the authority domain without a valid host certificate. More information on host certificates can be found in the documentation.

SSH Bastion Server

Support for SSH bastion servers has been added to the authority settings. This will proxy all SSH connections in the authority domain through the bastion server.

SSH Demo

An SSH demo is now available on the Pritunl Zero homepage to demonstrate the new SSH client and host certificates. Below are the instructions for running the demo in a docker container. The Pritunl SSH client is also available for macOS with Homebrew.

# This demo will be run in a temporary docker container
# For more information on installing the client visit
# https://docs.pritunl.com/docs/ssh-client
# Pull ubuntu xenial
docker pull ubuntu:xenial
# Start ubuntu container
docker run --rm -ti --entrypoint /bin/bash ubuntu:xenial
# Add pritunl repository (copy all lines together)
tee -a /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt xenial main
EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv \
7568D9BB55FF9E5287D586017AE645C0CF8E292A
# Install openssh and pritunl-ssh
apt update
apt -y install openssh-client ca-certificates pritunl-ssh
# Generate ssh key leave all prompts empty
ssh-keygen
# Enter file in which to save the key (/root/.ssh/id_rsa):
# Enter passphrase (empty for no passphrase):
# Enter same passphrase again:
# Configure pritunl-ssh using the values below
pritunl-ssh
# Enter Pritunl Zero user hostname: zero-demo-ssh.pritunl.com
# Enter key number or full path to key: 1
# Use cmd or ctrl double click to open the link
# Login with demo and approve the ssh key
# Verify strict host checking is working
ssh demo@zero-demo-error.pritunl.com
# Host key verification failed.
# Verify ssh certificate is working
ssh demo@zero-demo-host.pritunl.com
# Successfully authenticated to Pritunl Zero SSH demo

Documentation

More information can be found in the documentation.

Follow Pritunl on Twitter | Find us on GitHub | Subscribe to our mailing list

--

--