Using MFA for SFTP Proxy
Kron PAM’s built-in MFA can be used as an enhanced security level for SFTP Proxy.
When users open an SFTP Client (WinSCP or FileZilla), they are prompted to enter their Kron PAM credentials to connect to the SFTP Proxy.
If MFA is activated for SFTP Proxy:
- For FileZilla connections: After users log in successfully using their credentials, the following screen opens, where users are asked for an MFA token.
- For WinSCP connections: Kron PAM credentials and MFA token are entered on the same screen.
Also, SFTP clients have their configurations for MFA usage. For instance, the logon type should be selected as interactive to enable MFA for a user. See Figure - MFA Usage on FileZilla below.
Only users in enabled User Groups can use MFA for SFTP connections. To enable MFA use for the user group, please refer to the section Enabling Multi-Factor Authentication (MFA)
To set up MFA for SFTP connections, follow the steps below:
Admin and users must have the QR code, installed the Kron PAM Mobile Client Application, scanned the QR code with the Kron PAM Mobile Client Application, and MFA must be enabled for the user group using MFA for SSH connections.
- Establish an SSH connection to Kron PAM as the pamuser user.
- Edit the nsso.properties file under /pam/gui/sftp/conf/ directory and add the following configurations in this file. nsso.connection.otp.enabled=true nsso.otp.cache.enabled=true nsso.otp.cache.seconds=300
The first command enables MFA. The second command sets up OTP caching, and the third one sets the cache value to 300 seconds. It means that users logging in with OTP won't be asked for any token for the next 300 seconds, even if they disconnect and connect again.
- After setting the parameters, restart the sftp proxy by running the following command: systemctl restart pam-sftp
After these settings, users belonging to an MFA-enabled user group will be asked for a token on SFTP Client when logging in to Kron PAM over the 3333 port.