Previously I posted on how to make some changes to SSH to improve it’s security. One of the configuration options I said to change was to disable password authentication. I want to cover how you can keep password authentication enable by using 2-factor authentication powered by Google Authenticator.
what is it?
Two-factor authentication (also known as 2FA) provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. A good example from everyday life is the withdrawing of money from a cash machine. Only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, i.e. something that the user knows) allows the transaction to be carried out. Two-factor authentication is a type of multi-factor authentication.
why would i give my keys to google?
Google Authenticator’s time-based one-time password (TOTP) system doesn’t “phone home” to Google all the work happens on your server. By enabling TOTP your account information isn’t actually shared with Google nor do you require a Google account. The key exchange is done via a pre-shared key that’s used with the current UTC timestamp to generate a one time password that you use to authenticate to the server.
The project is also open source and you can review the code here.
install google authenticator
To implement multifactor authentication with Google Authenticator, you’ll need the open-source Google Authenticator PAM module. PAM stands for ‘pluggable authentication module’ it’s a way to easily plug different forms of authentication into a Linux system.
Ubuntu’s software repositories contain an easy-to-install package for the Google Authenticator PAM module. If your Linux distribution doesn’t contain a package for this, you’ll have to download it from the Google Authenticator downloads page on Google Code and compile it yourself.
To install the package on Ubuntu, run the following command:
(This will only install the PAM module on your system you will have to activate it for SSH logins manually.)
create an authentication key
Now that the PAM module has been installed you will need to generate a authentication key. This is the pre-shared key that’s used as part of the seed to the TOTP.
Login as the user you wish to use 2FA and type:
After answering ‘yes’ to the question if you want authentication tokens to be time-based, it should produce some output that looks like the following:
Google Authenticator will present you with a secret key and several ‘emergency scratch codes’. Write down the emergency scratch codes somewhere safe they can only be used one time each, and they’re intended for use if you lose your phone.
You will also need to add the ‘secret key’ to your phone’s Google Authenticator app.
Once you’ve added the ‘secret key’ to your phones Google Authenticator app, Answer ‘yes’ to updating your .google_authenticator file and then answer the following questions:
enable Google Authenticator
Now that you’ve setup everything it’s time to actually enable the PAM module. You can do this with the following:
You will also need to edit /etc/ssh/sshd_config. Look for the ‘ChallengeResponseAuthentication’ line and enable it.
If you followed my previous post, you will also need to update ‘PasswordAuthentication’ from ‘no’ to ‘yes’.
Finally, restart the SSH server so your changes will take effect:
You can now simply ssh to localhost and see if you get the 2FA.