MFA and SSH Key Enforcement in Production

MFA and SSH Key Enforcement in Production

Strengthening server access through MFA and SSH certificates. This technical deep dive highlights how TT Global Consulting implements secure, scalable authentication across production environments — drawing from real client projects and internal best practices.

# Technical Deep Dives Oct. 23, 2025 Author: Tom

Why It Matters

Weak SSH practices and missing MFA are among the most common causes of breaches. By enforcing short-lived SSH certificates and MFA-backed access, you ensure every admin session is verified, logged and auditable.

Core Objectives

  • Eliminate password-based SSH access.
  • Require MFA for all privileged operations.
  • Use short-lived SSH certificates instead of static keys.
  • Centralize access control and session logging.

Our Recommended Architecture

  • Identity Provider (IdP): Okta, Azure AD, or Keycloak for MFA and group mapping.
  • SSH Certificate Authority: Signs user keys with 8-hour TTLs.
  • Bastion Host: Central access point enforcing logging and MFA.
  • Automation: Ansible and Terraform for configuration and rollout.
  • Auditing: Session logs forwarded to centralized monitoring.

Step-by-Step Overview

1. Inventory and Baseline

List all servers, identify any password-based SSH logins and plan CA key distribution.

2. Create an SSH Certificate Authority

Generate your CA key securely, store it in an HSM or YubiHSM, and distribute only the public key to servers:

sudo mkdir -p /etc/ssh/ca && sudo cp ca_user.pub /etc/ssh/ca/

Configure SSHD to trust the CA: 

TrustedUserCAKeys /etc/ssh/ca/ca_user.pub
PasswordAuthentication no

3. Link IdP Groups to Roles

Map IdP roles to SSH principals and Unix groups (e.g. devops-admins → wheel).

4. MFA-Gated Certificate Issuance

Use your IdP session and MFA to request a short-lived SSH certificate:

ssh-keygen -s ca_user -I alex@ttgc -n devops.admin -V +8h ~/.ssh/id_ed25519.pub

5. Bastion Host Enforcement

All SSH traffic routes through a bastion:

Host prod-*
ProxyJump bastion.ttgc.internal
User ubuntu

Enable session recording and central log forwarding.

6. Automate Rollout

Apply consistent configuration with Ansible:

- hosts: all
become: yes
tasks:
- name: Disable password SSH
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
- name: Deploy CA trust
copy:
src: ca_user.pub
dest: /etc/ssh/ca/ca_user.pub

7. Enforce MFA for sudo

Require MFA at privilege elevation:

# /etc/pam.d/sudo
auth requisite pam_u2f.so cue

Validation Checklist

✅ Password SSH disabled on all servers
✅ All admin sessions pass through bastion
✅ MFA verified via IdP logs
✅ Certificate TTL ≤ 8h
✅ Sudo actions require U2F/TOTP

Rollout Strategy

  1. Pilot: Start with staging servers and a few admins.
  2. Shadow: Enable CA with password fallback for testing.
  3. Enforce: Disable passwords and require bastion access.
  4. Refine: Shorten TTLs and add IP restrictions.

Troubleshooting

  • SSH cert rejected: Check host’s TrustedUserCAKeys path.
  • No sudo access: Verify group mapping and principals.
  • MFA not triggering: Review PAM configuration.

Compliance Alignment

  • CIS Linux: SSH hardening & logging.
  • ISO 27001: Privileged access and monitoring controls.

TT Global Consulting’s Implementation Services

We help organizations design and deploy secure access controls with:

  • End-to-end SSH CA and MFA integration.
  • Automated rollout via Ansible and Terraform.
  • Bastion host deployment with full session audit.
  • IdP and key lifecycle management.

Get in touch to learn how TT Global Consulting can help secure your production infrastructure with modern, MFA-enforced SSH access.

← Go Back