The newest Halo release includes GhostPorts SMS: two factor authentication using a password plus SMS text messages. In this post we’d like to walk you through setting up a user account to authenticate with GhostPorts-SMS. All you need is a cell phone!
Setting up the user account
Let’s create a new account so you can see how to set up SMS authentication. First, log in as a Portal Site Administrator (Standard Users will need to ask an admin to set these up). From the Halo main menu click “Settings” and the “Site Administration”. Click on the “Users” tab (you can go directly there by clicking on https://portal.cloudpassage.com/settings/users). Click on “Invite New User” to create a new account, and fill in the new user’s name and email address. When you fill in the username, you can pick anything that’s not in use, but I tend to add “-sms” to the end to remind me that I need to use a cell phone to log in.
In the next section, decide if this user will have portal access at all, and if so, whether they’ll be a standard user or site administrator.
Now we set up authentication. Check off “Enable GhostPorts access” and choose “SMS Code and Halo password”. A box will show up just below; enter the user’s phone number in the box:
There are examples of how to enter United States and overseas numbers at the bottom. Note that sending SMS text messages to international numbers is under test – we’ve had good luck with it so far but it’s possible it won’t work in every country (please let us know in the community forums if you run into any problems, and include the country and carrier in your report).
Press “Invite” when that’s all entered, and you should see this note when you get back to the User Account tab:
Making a firewall rule that uses GhostPorts
In our example, we’re trying to lock down access to an internal wiki running on https (tcp port 443). Instead of allowing access from every address on the Internet, we’d like to limit access to just authorized users. Here’s how we’ll do it.
Bring up the firewall used by this server in the Portal. We’re going to change the incoming rule for https, secure web; where it used to allow a source of “any” (anyone on the Internet could get to it), we’re going to change that:
We can pick “jparker-sms” to only give access to the machine where John is sitting, or we can pick “All GhostPorts users” to cover everyone who has GhostPorts turned on in the Portal. Pick one or the other, and don’t forget to press “Apply” at the bottom when you’re done.
[Halo Trick: if you want to give access to a few GhostPorts users but not all of them, duplicate the firewall rule, one for each user, and put the allowed users in the Source field of those rules.]
Test it out!
Because John is a GhostPorts user, he’ll have an additional link in the upper right of his Portal:
The “Open GhostPorts” link gives John’s web browsing computer access to all services that have either “jparker-sms” or “All GhostPorts Users” as a source in their firewall rules. To make this happen, John clicks on the link and gets this screen:
Only the last two digits of the phone number are shown for privacy.
After John presses that button, the Portal asks him to enter the SMS authentication code. The code is only usable for the next 15 minutes:
The text message he gets will read “Your GhostPorts authentication code is NNNNNNNN”, and he enters that number in the Authentication code box. At that point the portal will show that GhostPorts were opened with:
Within a minute John will be able to reach the protected https web server.
The link in the upper right that used to say “Open GhostPorts” now reads “Close GhostPorts” as a reminder that the ports are open. When John’s done using those services he can click on this link and press the “Close GhostPorts” confirmation button on the next screen to close the ports. If he forgets, no problem, the GhostPorts are automatically closed 4 hours after they were opened.
There are a few steps to go through to set up the user account for the first time and to create the firewall rules to use GhostPorts, but the actual process of opening the firewall (with the confirming text message) just takes a few moments. While we showed this process with just a single firewall rule going to a single service, if we created tens or hundreds of firewall rules with his username or all GhostPorts users as a source, he’d get access to all of those services for 4 hours with a few clicks and a single text message.
In this post, we used the example of setting up GhostPorts during the process of creating a new user. You can just as easily modify an existing account to use either flavor of GhostPorts (YubiKey or SMS).