Sunday, July 15, 2012

SSH / Google 2-Step Authentication How-To : Enhance your SSH security with Google Two factor Authentication Service



*** Updated March 9, 2013  ***

Major changes:
03/09/2013 - Added missing pam settings upon user comment

The Goal:


Google provides for free a great service to enhance your Google account security called "Google 2-Step Authentication"  (also called two factor authentication) and offers a real strong authentication mechanism.

This service can also easily be used to enhance your SSH access security.
In a few words, you will be able to protect your SSH access with strong authentication using your smartphone as a software token.

Do not hesitate to read official Google page if you need more information:

You may also read my article about configuring it to protect your Google account access:

Other useful sources (thanks to various authors):

What you need:

  • A running Linux Box with SSH installed and accessible
  • A smartphone : Iphone, Android or RIM

Step 1: Install Google Authenticator


Tested under Ubuntu 12.04 TLS:
sudo apt-get install libpam-google-authenticator

Step 2: Configure SSH to use Google Authenticator


Edit "/etc/pam.d/sshd" with your favorite text editor and add:
auth required pam_google_authenticator.so

Edit "/etc/ssh/sshd_config" and set:
ChallengeResponseAuthentication yes

Edit "/etc/pam.d/common-auth" and set:


auth required pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok_secure


As the user you want to connect with, configure your Google two factors authentication:

$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@host%3Fsecret%3DZDTR6VU5FR5OIZ3G

<BAR CODE>
       
Your new secret key is: ZDTR6VU5FR5OIZ3G
Your verification code is 843231
Your emergency scratch codes are:
  31043901
  75807840
  98606066
  42902460
  31208347

Do you want me to update your "~/.google_authenticator" file (y/n)

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y


Note: 
Emergency codes are provided in case of your phone would be unavailable, you should keep it somewhere 

Open your Google Authenticator application on your phone, click on "+" and "read bar code", get the bar code provided by the terminal, it will be added automatically in the application.


Restart ssh:
sudo service ssh restart



Note:
I recommend you to keep your opened terminal up in case you would be unable to connect 


Step 3: Check authentication



Try to connect to your host using Google code provided by your phone:

ssh user@host
Password: 
Verification code: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-26-generic x86_64)

Last login: Sun Jul 15 11:28:17 2012 from XXX.XXX.X.XX
user@host:~$ 













5 comments:

  1. Since installing this i am unable to access my server via ssh, i get a connection refused message each time, not even being prompted for any password. How would i fix this ?

    ReplyDelete
  2. Hi, Access you system directly in console mode and revert to your original SSH configuration (the pam.d config file and SSH config file), restart SSH (or reboot) and you should be good ^^

    ReplyDelete
  3. On Ubuntu 12.04 I also needed to edit /etc/pam.d/common-auth with the following line to make this work:

    # here are the per-package modules (the "Primary" block)
    auth required pam_google_authenticator.so
    auth [success=1 default=ignore] pam_unix.so nullok_secure

    Hope this helps someone. Cheers!

    ReplyDelete
    Replies
    1. Hi,

      I have added your correction, many thanks for reporting it!

      Cheers

      Delete

Please feel free to comment ^^