Break Glass Account in SSH: Secure Emergency Access Configuration (Debian)

Overview

A Break Glass Account is a highly privileged account designed for emergency access when standard authentication methods fail. This guide explains how to configure an SSH Break Glass Account (admin) specifically for Debian-based systems, that allows login only via an SSH key, bypassing single-factor authentication (1FA) and passwords.

Note: The machine should be onboarded into the tenant and have 1FA configured for regular users.

Use Case: Ensuring Emergency Access While Enforcing 1FA

Break Glass Account (admin): Can log in only using an SSH key (bypasses 1FA and password).
Regular Users (user_with_authnull_mfa): Must use keyboard-interactive authentication (1FA enforced).

1. SSH Configuration (`/etc/ssh/sshd_config`)

Relevant section:

PubkeyAuthentication yes
PasswordAuthentication yes
KbdInteractiveAuthentication yes
UsePAM yes

Match User admin
    AuthenticationMethods publickey
    PasswordAuthentication no
    KbdInteractiveAuthentication no

Match User user_with_authnull_mfa
    AuthenticationMethods keyboard-interactive
    PubkeyAuthentication no

Explanation

Global Settings:
- PubkeyAuthentication yes: Allows SSH key authentication.
- PasswordAuthentication yes: Enables password authentication.
- KbdInteractiveAuthentication yes: Enables keyboard-interactive (1FA).
- UsePAM yes: Ensures PAM authentication is applied.
Break Glass Account (admin):
- AuthenticationMethods publickey: Only SSH key authentication is allowed.
- PasswordAuthentication no: Password login is disabled.
- KbdInteractiveAuthentication no: 1FA is disabled.
Regular Users (user_with_authnull_mfa):
- AuthenticationMethods keyboard-interactive: 1FA must be used (Accepting Authnull Authenticator App notification).
- PubkeyAuthentication no: Prevents SSH key usage.

2. PAM Configuration (`/etc/pam.d/sshd`)

Since SSH is configured to use PAM (UsePAM yes), the actual enforcement of password authentication (or 1FA) happens in /etc/pam.d/sshd.

# Enforce 1FA (e.g., Google Authenticator or Authnull)
auth required /usr/local/lib/security/pam_google_authenticator.so debug nullok
auth required pam_permit.so

3. Testing the Setup

Test Break Glass Account (`admin`):

Try logging in using only an SSH key:

ssh -i /path/to/private_key admin@<your-destination-machine-ip>

Expected: You should log in successfully without an MFA or password prompt.

To check SSH logs:

sudo journalctl -xe -f

Test MFA User (`user_with_authnull_mfa`):

Try logging in without an SSH key:

ssh user_with_authnull_mfa@<your-destination-machine-ip>

Expected: User should be prompted for 1FA in Authnull Authenticator App.

4. Summary of Behaviour

User	Allowed Authentication Methods	Requires MFA?	Can Use SSH Key?	Password Allowed?
`admin` (Break Glass)	Public Key Only	No	Yes	No
`user_with_authnull_mfa`	Keyboard-Interactive	Yes	No	Will be replaced with Authnull App notification

Conclusion

1FA is enforced for regular users (user_with_authnull_mfa).
A Break Glass Account (admin) is available to bypass 1FA if needed.
You can modify the config to allow both SSH key and 1FA if required.

For questions or troubleshooting, see the Linux Endpoints section or contact your system administrator.

Overview​

Use Case: Ensuring Emergency Access While Enforcing 1FA​

1. SSH Configuration (/etc/ssh/sshd_config)​

Explanation​

2. PAM Configuration (/etc/pam.d/sshd)​

3. Testing the Setup​

Test Break Glass Account (admin):​

Test MFA User (user_with_authnull_mfa):​

4. Summary of Behaviour​

Conclusion​