Google authenticator is a client to provide multi-factor authentication based on time-based one-time password algorithm TOTP. How you can see it’s very easy to increase a bit more the security in our Linux servers. A verification token has to be entered, each time that you’ve to connect to the server via SSH. Basically you’ve to setup a pam module developed by Google and include it in our pam settings to work with it on the authentication process. With this way you can ensure that in case that our password was cracked add one more security layer of authentication using a different token in an interval time.

twofactor-img

Installation
– Install dependencies:

# aptitude install make build-essentials libpam0g-dev libpam0g

– Download the source code:

# cd /tmp && wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# tar xjvf libpam-google-authenticator-1.0-source.tar.bz2
# cd libpam-google-authenticator-1.0/

– Edit Makefile file and just put under “VERSION:=1.0” line the next flag to link to the pam library of the system:

LDFLAGS=-lpam

– Build and install:

# make install

Generation of the token

– Login with the user that you would like to setup Google authenticator:

# su - user

– Generate a new token:

$ google-authenticator

– Do you want authentication tokens to be time-based (y/n)
It ask us if we want the authentication tokens to be time-based. If we choose yes, the token will change every 30 seconds, else the token will change only on each use. So obviously the first option may be more secure, so you’re free to choose whatever option.

– Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)
It means that only you can login one time per token generated.

– By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n)
It allow us to increase the generation time for tokens if we experience some time mismatches with the client and the server.

– If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n)
Avoid brute force attack to limit 3 login attempts every 30 s.

– The Google authenticator now was generated an url with your secret key, so now you need to open it in a browser and scan the QR code with your smartphone.

Setup SSH to work with Two factor authentication

– Setup PAM to work with Google authenticator with ssh connections:

# vi /etc/pam.d/sshd
auth required pam_google_authenticator.so

– Setup ssh daemon to support challenge response authentication:

# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

– Restart daemon:

# service ssh restart

– Source:
https://code.google.com/p/google-authenticator/wiki/PamModuleInstructions

Protecting SSH with Two-Factor authentication

One thought on “Protecting SSH with Two-Factor authentication

  • October 3, 2014 at 22:08
    Permalink

    really interesting !

    Reply

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: