I.T. Security and Linux Administration

May 10 2011   9:21AM GMT

Two-Factor Authentication via SSH

Eric Hansen Eric Hansen Profile: Eric Hansen


Security and smart phones, a great combination when used in the right situations.  A while ago, Google released their two-factor authentication mechanism, as well as released software to run on iPhones, Blackberries, and of course Android.  Since they released this, I was wondering how long it’d take to really take power with this for IT systems (lets face it, Google is trying to take over the IT world).  Then, I stumbled upon (ironically not on StumbleUpon) an article that shows steps on how to integrate Google Authenticator with SSH.  That’s where this really takes an interesting turn.

Step 1: Terminal Information (important) and a Security Notice

The first thing to do is make sure you always have one SSH window open (i.e.: use a separate terminal window to test the authentication), in case issues arise. I’m not going to go into compiling the modules, as my server’s flavor (Arch Linux) already had it in it’s repository, so check your flavor’s repos first.

Also, if you are using keys for authentication this method won’t work, as that takes precedence over two-form. This is due to how (Open)SSH works. Although, having two-form and key authentication would be interesting, it might be best to be considered over-done for now.

Step 2: Authenticator for Your Phone

Why not start with the easiest part first? You’ll need to install the Google Authenticator app onto your phone via this link: Turning on 2-step verification: Installing Google Authenticator. The steps are pretty easy and straight forward.

Step 3: Packages

The packages you need is google-authenticator-libpam-hg. Now, there is another package that seems to be needed as well, and that’s mercurial. Originally I thought this was just for Debian-based systems, but it’s also required for Arch as well. If you’re going to do this on Red Hat, you might need to do the following:

$ hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
$ cd google-authenticator/libpam/
$ make
$ sudo make install

Note that the Red Hat steps are not from experience, source of this at bottom of article.

For Arch Linux, I had to install from the AUR repository for google-authenticator-libpam-hg and from the regular repository for mercurial. Installation is pretty quick, about a couple of minutes to compile the code and such on Arch.

Once installed, as the user want to set up this authentication with, run the following command:


It’ll ask you a few questions and also generate a QR code (if you installed the qrencode package), or you can use the secret key in your authenticator app otherwise.

Step 4: Edit sshd_config

Now comes time to set this up. While the editing is rather easy, it took me a little bit to figure out why SSH wasn’t using the authenticator even though I had it set up according to the guide I followed. The reason is that the guides assumed UsePAM was already enabled. So, first what you need to do is make sure that you have UsePAM enabled:

UsePAM yes

Next, if you are using key-authentication, turn that off:

PubkeyAuthentication no

Now, make sure that challenge authentication (i.e.: two-form) is enabled:

ChallengeResponseAuthentication yes

Step 5: Edit PAM’s sshd file

Now you’ll need to edit /etc/pam.d/sshd. This is where the heart and soul of this entire method comes into play. What basically need to do is make it so the following three lines are at the top:

auth            sufficient      pam_google_authenticator.so
auth            sufficient      pam_unix.so
auth            required        pam_env.so

I personally couldn’t get the authentication to work by changing sufficient to required, but you might. Basically, sufficient is similar to “OR” (i.e.: Google authenticator OR user password is allowed), and required is similar to “AND” (i.e.: Google authenticator AND user password is needed to log in). You could take it one step further and take out the pam_unix.so completely and also change the following line in /etc/ssh/sshd_config if you want to remove password-usage completely from logging in:

PasswordAuthentication no

Then, after that, either comment out or remove the following in /etc/pam.d/sshd:

auth            sufficient      pam_unix.so

This will require that the authenticator only will be used.

Step 5: Test

Before assuming the job is done. You need to restart SSH so the new configuration settings can take place. After that, open up a NEW terminal session, and try to log in. If you set it up correctly, you should see something like this:

$ ssh some-server.com
Verification code:

This post was a mixture of two articles I read on this, combined with my own experiences.

Sources: Two Factor SSH with Google Authenticator and Setting up Google Authenticator (the second one is Arch Linux-specific but still has good general information).

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • SHA-512 Authentication - I.T. Security and Linux Administration
    [...] been trying to figure out for a little bit now how to do use the previously written Two Factor Authentication via SSH article for logging into my system directly. While it’s probably the same for SSH as it is [...]
    0 pointsBadges:
  • HOTP Authentication via PAM - I.T. Security and Linux Administration
    [...] month for me.  I just finished writing an article about SHA-12 encryption for passwords, Two Factor Authentication via SSH, and now I’m here for a new adventure. As mentioned in the two-factor article, I would write [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: