Posted by: Eric Hansen
authentication, SSH, Two-Factor
Security and smart phones, a great combination when used in the right situations. A while ago, Google released their two-factor authentication mechanism, as well as released software to run on iPhones, Blackberries, and of course Android. Since they released this, I was wondering how long it’d take to really take power with this for IT systems (lets face it, Google is trying to take over the IT world). Then, I stumbled upon (ironically not on StumbleUpon) an article that shows steps on how to integrate Google Authenticator with SSH. That’s where this really takes an interesting turn.
Step 1: Terminal Information (important) and a Security Notice
The first thing to do is make sure you always have one SSH window open (i.e.: use a separate terminal window to test the authentication), in case issues arise. I’m not going to go into compiling the modules, as my server’s flavor (Arch Linux) already had it in it’s repository, so check your flavor’s repos first.
Also, if you are using keys for authentication this method won’t work, as that takes precedence over two-form. This is due to how (Open)SSH works. Although, having two-form and key authentication would be interesting, it might be best to be considered over-done for now.
Step 2: Authenticator for Your Phone
Why not start with the easiest part first? You’ll need to install the Google Authenticator app onto your phone via this link: Turning on 2-step verification: Installing Google Authenticator. The steps are pretty easy and straight forward.
Step 3: Packages
The packages you need is google-authenticator-libpam-hg. Now, there is another package that seems to be needed as well, and that’s mercurial. Originally I thought this was just for Debian-based systems, but it’s also required for Arch as well. If you’re going to do this on Red Hat, you might need to do the following:
$ hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/ $ cd google-authenticator/libpam/ $ make $ sudo make install
Note that the Red Hat steps are not from experience, source of this at bottom of article.
For Arch Linux, I had to install from the AUR repository for google-authenticator-libpam-hg and from the regular repository for mercurial. Installation is pretty quick, about a couple of minutes to compile the code and such on Arch.
Once installed, as the user want to set up this authentication with, run the following command:
It’ll ask you a few questions and also generate a QR code (if you installed the qrencode package), or you can use the secret key in your authenticator app otherwise.
Step 4: Edit sshd_config
Now comes time to set this up. While the editing is rather easy, it took me a little bit to figure out why SSH wasn’t using the authenticator even though I had it set up according to the guide I followed. The reason is that the guides assumed UsePAM was already enabled. So, first what you need to do is make sure that you have UsePAM enabled:
Next, if you are using key-authentication, turn that off:
Now, make sure that challenge authentication (i.e.: two-form) is enabled:
Step 5: Edit PAM’s sshd file
Now you’ll need to edit /etc/pam.d/sshd. This is where the heart and soul of this entire method comes into play. What basically need to do is make it so the following three lines are at the top:
auth sufficient pam_google_authenticator.so auth sufficient pam_unix.so auth required pam_env.so
I personally couldn’t get the authentication to work by changing sufficient to required, but you might. Basically, sufficient is similar to “OR” (i.e.: Google authenticator OR user password is allowed), and required is similar to “AND” (i.e.: Google authenticator AND user password is needed to log in). You could take it one step further and take out the pam_unix.so completely and also change the following line in /etc/ssh/sshd_config if you want to remove password-usage completely from logging in:
Then, after that, either comment out or remove the following in /etc/pam.d/sshd:
auth sufficient pam_unix.so
This will require that the authenticator only will be used.
Step 5: Test
Before assuming the job is done. You need to restart SSH so the new configuration settings can take place. After that, open up a NEW terminal session, and try to log in. If you set it up correctly, you should see something like this:
$ ssh some-server.com Verification code:
This post was a mixture of two articles I read on this, combined with my own experiences.