Blog

Use Google Authenticator For Two-Factor SSH Authentication in Linux

From scottlinux.com

For a very secure and convenient way to add two-factor ssh auth to your Linux server, you can use Google Authenticator. I’ll show you how to set this up!

1. In Ubuntu 13.04:


$ sudo apt-get install libpam-google-authenticator

2. Then, from an open bash shell with your user account on that server and run the following:

$ google-authenticator

Scan the bar code with your Android phone or iPhone to add the key. (Or alternatively, open the URL provided on your phone to add the key.)

Note: save the emergency scratch codes in case you need to access the server without your phone!

01-googleauth

I suggest answering the following to the questions that follow:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

3. Next, add this to the bottom of /etc/pam.d/sshd

auth required pam_google_authenticator.so

4. Next, make sure this is set to yes in /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

5. Restart ssh:

$ sudo /etc/init.d/ssh restart

Done!

Now you can login with two-factor auth (password and google authenticator)

stmiller@brahms:~$ ssh stmiller@172.16.1.148
Password:
Verification code:
Welcome to Ubuntu 13.04 (GNU/Linux 3.8.0-19-generic x86_64)

* Documentation: https://help.ubuntu.com/

Last login: Sun Jun 2 13:20:22 2013 from 172.16.1.202
stmiller@ubuntu1304:~$

From scottlinux.com

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....