We’re looking at different MFA options for two environments where we use ThinLinc.
- Users connecting (mostly via Web Access with some ssh/client access)
- ThinLinc to more restrictive systems is being tested where users login to a webapp using Microsoft Authenticator. They generate an SSH key pair with a password on the key. Their private key is automatically stored in LDAP. A ThinLinc client is configured to connect to a specific system, specifying the new public key in the users home directory. The user launches the ThinLinc client shortcut, enters their username and are prompted for the password on the key and are granted access. SSHD on the server is configured to match users based on a specific group, requiring publickey auth using AuthenticationMethods, with AuthorizedKeysCommand and AuthorizedKeysCommandUser settings for that group.
We’re looking for other ways to use MS Authenticator (username/password auth, then push to Authenticator) or Cisco Duo, etc.