Multi-Factor Authentication (MFA) for Secure Shell (SSH) Guards Linux Fleets Against Intrusion and Lateral Movement
摘要
Cyberattacks that exploit weak or reused authentication credentials introduce persistent risks to Linux fleets, especially when intruders leverage Secure Shell (SSH) for unauthorized access and lateral movement among fleet members. This disquisition presents an innovative Identity and Access Management (IAM) approach enforcing centralized Multi-Factor Authentication (MFA) for SSH with up to four independent factors. Unlike conventional host-based setups, the proposed design utilizes a centralized OpenLDAP instance, removes local storage of secrets, mitigates password reuse, and minimizes opportunities for attackers to extract sensitive material from compromised nodes. The implementation accommodates regular, emergency, and Machine-to-Machine (M2M) authentication workflows while maintaining usability across operational environments. A subsequent security evaluation shows resilience against Brute Force Attacks (BFAs), buffer overflows, and exposure of authentication assets, yet acknowledges the continuing challenge of complete compromise, which demands behavioral monitoring and anomaly detection. This IAM approach enhances defenses against intrusion and lateral movement in large-scale Linux fleets and lays groundwork for integration with orchestration tools and zero-trust architectures.