Introduction
It's standard practice for hardened security professionals to secure their privileged SSH logins with SSH key authentication. SSH key authentication prevents brute force attacks and weak passwords from compromising system security and is especially important when you expose an SSH server to the Internet.
The LogonBox Authenticator is a modern mobile app that uses strong cryptography to authenticate users into operating systems and websites. At the heart of its authentication protocol, the LogonBox Authenticator uses ED25519 keys, which makes the credentials compatible with many SSH servers.
LogonBox Developers and our colleagues at Jadaptive have added support to the LogonBox Authenticator to use the apps' credentials with SSH public key authentication.
When combined with Jadaptive's Desktop Agent software, you can use your LogonBox Authenticator credentials with any standardized SSH or SFTP client.
The ssh-agent, part of the popular OpenSSH suite of applications, allows you to load private keys into memory to prevent you from typing in your passphrase for each SSH connection. Jadaptive's Desktop Agent utilizes the same mechanism as the ssh-agent to communicate with the LogonBox Authenticator, enabling it to authorize and sign authentication requests using the credentials stored on your mobile phone. The user authorizes the request on their mobile phone, just like when they log into a website or when they log into Windows.
The LogonBox Authenticator also exposes a legacy RSA key for use when the SSH implementation does not support the ED25519 algorithm to ensure full compatibility for legacy SSH servers.
Set up the LogonBox Authenticator
If you have already set up the LogonBox Authenticator to log into your LogonBox service via your browser or Windows, you should be able to skip this step.
For users that have come this far but do not already have any LogonBox service to log into, you can still use the LogonBox Authenticator with your SSH servers by signing up for a free individual account at https://www.logonbox.com/content/authenticator/begin/
Once registered, log into your LogonBox service. As a regular user, you will see the Setup the LogonBox app section on your dashboard. Administrative users will need to switch to My Profile -> Overview to see the same page.
Visit the app store for your device and install the LogonBox Authenticator app. After opening the app, it will prompt you to scan the QR code displayed on the screen. Scan this to create your LogonBox Authenticator credentials.
Once complete your credentials will be listed in the Authenticators Credentials page.
Configure your SSH Servers
Now that you have the LogonBox Authenticator registered and a set of credentials that enable you to log on to your LogonBox Server. You can now use the URL below to get a copy of the public keys of your LogonBox Authenticator credentials.
https://<server>/authorizedKeys/<username>
The URL will output the keys in the browser in the same format as required by OpenSSH's authorized_keys file.
# Authorized keys for lee@logonbox.com
ssh-ed25519 AAAAC3NzaC1lZDI1TE5AAAAII/qBoZoP96AnBUmLwMoXBCxqi8LAIiezDiekvOA0Y Android 12.0
ssh-rsa AAAAB3NzaC1yc2EAAADB34A7kyy4iv1wpgC1FfJn+dsIEnnvrwenItqdN7L9q6GLrIHidCfIRNLIO6yLdK
VBVULCqxlj/6x1vnOQQPmzZ+KLKTwZs1S1pf5etXLKEFp9DRsTq7aKJLFc6iRJoRtcNfrHosaP4kGV+x3PA7bObS1c
eDN2bmi52DEvU0H/xJ4MbzJt8dyEjWFoDvMhqGi5tR3depX+YtdPiZPuxptobSVGoHZO3KrPUzHh8aZ1W8KZyrhL8o
kHgNvHC+5TdlnACy8D2JrTZlBI5bGm5RTX3f9ld5cYuwShICehUmnlW1/cIIesHbalY9OGLhxf/8= Legacy RSA
Copy these into the authorized_keys files on your SSH servers.
If you want to configure other keys on the same server, place the authenticators' keys first in the list, so they get used in preference to any other keys you install afterwards.
Download and install Desktop Agent.
Jadaptive's Desktop Agent is an open-source application released under the GPL and is a direct replacement for the OpenSSH ssh-agent or PuTTYs Pageant.
Download at https://jadaptive.com/en/products/desktop-ssh-agent
- Download, install and open the Desktop Agent.
- From the Desktop Agent icon in the system tray, open the menu and select Preferences.
- Select the Authenticator tab, and enter the details of your LogonBox Authenticator account.
The account name is the name you use to log in to your LogonBox service or can also be the email address you have registered with that account.
The hostname is the server name you log into when logging in to LogonBox. For users that signed up for the free account, this will be agent.logonbox.directory.
Save the settings.
You can now try out the authenticator by connecting to one of your servers. Open up a terminal and use the ssh command, open PuTTY, or use the Desktop Agent's built-in terminal.
When the SSH client performs public-key authentication, it requests that the agent signs your authentication request, sending a push notification to your mobile phone. If your app is in the background, click on the push notification to open the app. It will then present you with the Authorization screen. Click Authorize to sign the request. The phone then sends the signed request back to your client and then onto the server, where the SSHD will consult the user's authorized_keys file to check the keys signing the request are valid.
When your phone is in the foreground, the Authorization screen displays automatically. If your phone does not receive a push notification for some reason, you can swipe left on the credentials within the app and click the Authorize button.
IMPORTANT: The communication protocol used never exposes your private key. The private key is held securely on your mobile device, and no LogonBox process can access it.