# Google Authenticator on VPS



## juan (May 30, 2013)

What are the pros and cons? Is it any better than having just Key-Based Auth? Can it be installed together with Key-Based Auth? Thanks!


----------



## walesmd (May 30, 2013)

Google Authenticator is a two factor authentication system: it requires you to provide something you know (your Google account credentials) as well as something you physically have (your phone, in this case).


Historically authorization has been one-factor: something you know. Even key-based could be considered something you know as it's really nothing more than a really, really long password you've saved into a text file.


It is ridiculously more secure. After logging in with your Google account you will be presented with another form asking for your key. You'll get the key from the "something you have", Google Authenticator running on your phone.


Where does this key come from? I haven't reviewed Google's specific implementation so I'm going to talk generically about RSA's SecureID - which in fairly certain was the first implementation of two-factor authentication.


Although the key looks entirely random to you and I, it is actually generated by a complex and highly guarded algorithm (math problem). This math problem uses some information about you, along with the time, to generate a key that is only valid for short periods of time, usually 30 seconds. When you send this key to Google, the same math problem runs on their servers - if the result is the same, you're good!


I believe I may have glossed over this fact but it's important to note, the only data transmitted between the client and server is the key. Not much else for the most part and certainly nothing used within the algorithm. If it can be transmitted it can be intercepted.


Some of the cons: you can't login unless you have your phone with you which of typically not typo much of an issue. If you lose your device you won't have access but a phone call usually clears that up (they revoke your previous algorithm and setup a new one). Since time is a factor that can dinginess become an issue (think dying watch battery runs slower).


Pros: If I get your account info I still can't access your account; vice versa, get your device but I don't know your account.


Technically, yeah, it's possible to get running on your VPS. I'd have to review Google's documentation before I advise how feasible it would be. You'd also only be able to implement it where you have root; it would require changes on the server and I doubt your provider will let me dabble with their WHMCS install (yet, but that's a story for another day).


My advice: stick to keys, keep them backed up and install a script that emails you when someone gets in. On top of that have a contingency plan. For me, I have a secret phone number I can text a password to that activates SHUT EVERYTHING DOWN mode. My keys are revoked, passwords changed and only one user can login from one IP, plus a reboot to make sure the bad guy is gone.


Finally, if your provider sends you a password in plaintext, find a new provider. That's the most common security vulnerability I find - most providers simply don't know what they are doing or how to properly secure their service.


If there's interest I can clean up my OH SHIT script and release on GitHub, although I'd have to charge for the text receipts (or you implement your own). On a similar note: I know I've seen Google OAuth available for most of the control panels, convince your provider to implement that. Then Google's in charge of securing your password not them. On my phone or I'd look for it, but if it's not open source and there's interest I could whip something up with the assistance of control panel licensees. Same goes for two-factor.


Hope that helped!


----------



## Shados (May 31, 2013)

If you're looking for two-factor authentication for SSH, also check out barada. It's pretty easy to set up, and uses HOTP (GAuth supports HOTP, TOTP and IIRC some other schemes).


----------



## KuJoe (May 31, 2013)

Duo Security looks promising. I've been planning on setting it up on some of my personal servers to test it out.


----------



## xmob (May 31, 2013)

Google Authenticator can be used with a VPS.  I use it on a few of mine.

It doesn't use your Google account for login.  Like walesmd said above, it's a pseudo random number generated from a unique hash.

Google provide a PAM module that can be quite easily implemented.  There's a good howto here: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/


----------



## nunim (May 31, 2013)

I've been looking at this and other solutions such as yubikey for a little while now but I didn't want to be limited by USB port access, all of these 2 factor authenticators have their flaws and advantages. I just bought a Nexus 7 so now that I finally have an android device I think I'll give it a shot, not that I need it... My data isn't really sensitive enough to require this but it'll be fun to play with


----------



## Shados (May 31, 2013)

Other problem with Yubikey is that they essentially have access to your token, which makes your security somewhat weaker if you don't trust them/their security.


----------



## haris (May 31, 2013)

Shados said:


> Other problem with Yubikey is that they essentially have access to your token, which makes your security somewhat weaker if you don't trust them/their security.


you can program the slots of the yubikey to generate strings with your own way, I don't know how exactly though


----------



## walesmd (May 31, 2013)

xmob said:


> Google Authenticator can be used with a VPS.  I use it on a few of mine.
> 
> It doesn't use your Google account for login.  Like walesmd said above, it's a pseudo random number generated from a unique hash.
> 
> Google provide a PAM module that can be quite easily implemented.  There's a good howto here: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/


It doesn't? Like I said, I haven't even read their docs yet (I've been way too busy since Google I/O), I was just referring to two-factor authentication in general... but, they have to be. If they are using the key only that's only fulfilling one requirement of _two_ and surely someone would have called Google out on that fact by now...

Damnit, now I'm going to have to go read the documentation. You got me curious.

*Edit:* Ah - got it now! The link xmob provided is a pretty good, real quick and dirty, description of it. I just assumed it would somehow be linked to your Google Account but it's completely stand-alone (which is pretty cool I think). Definitely is two-factor though - the password of your user and then the key from the authenticator device. Thanks for keeping me straight xmob!


----------



## acd (May 31, 2013)

haris said:


> you can program the slots of the yubikey to generate strings with your own way, I don't know how exactly though


Each yubikey slot is a 128 bit aes key, which it then uses to generate OTPs, etc.

http://www.yubico.com/products/yubikey-hardware/yubikey/technical-description/

You can reprogram the key with their personalization tool, which makes it rather difficult for yubico to know your key.

http://www.yubico.com/products/services-software/personalization-tools/use/

I was surprised to read it doesn't use RSA or ECDSA asymmetric cryptography; significantly damped my "wow" factor.


----------



## sDsB (Jun 1, 2013)

I've got the pam module running on all my VPSes. They're all debian stable so you gotta compile from source. Takes less than a minute to setup once you've done it a few times.


----------



## MannDude (Jun 1, 2013)

<hint>Would be cool if a member posted a tutorial on how to get started with this</hint>


----------



## mikho (Jun 1, 2013)

MannDude said:


> <hint>Would be cool if a member posted a tutorial on how to get started with this</hint>


I think I have a draft saved that I was about to publish.... Can't remember why it's still a draft. Must be something that isn't working as it should.


I can try and go over the steps again this week and post an update.


----------



## xmob (Jun 2, 2013)

There's a link to one in my post above.


----------



## Kris (Jun 2, 2013)

Will check these out, very interesting for full dual-auth.

Wonder if there's an Authy type system yet... One can wish ^_^


----------



## juan (Jun 3, 2013)

this looks good too, for those who want to try it out:

https://calomel.org/openssh_gatekeeper.html


----------



## mikho (Jun 3, 2013)

mikho said:


> I think I have a draft saved that I was about to publish.... Can't remember why it's still a draft. Must be something that isn't working as it should.
> 
> 
> I can try and go over the steps again this week and post an update.


I must have deleted my draft, see if I an get it baxk from a backup and post it after setting it up and tested it.


----------



## nunim (Jun 3, 2013)

Spent awhile trying to make a little bash script for auto-installation but I am having issues with ensuring that sshd_config is set correctly as it seems to be impossible to do what I'm trying with sed and I'm not as familiar with awk..

In the meantime, a simple tutorial for Debian/Ubuntu/CentOS/RHEL...  http://vpsboard.com/index.php?/topic/504-how-to-setup-google-authenticator


----------



## Damian (Jun 3, 2013)

We implemented 2FA for our WHMCS login. Since i'm the only one of our team that doesn't carry a smartphone, I use a yubikey, while everyone else uses OTP from GAuthenticator. 

I find it *extremely* difficult to remember to carry my yubikey. There have been times I get to the office and realize that my yubikey is at home. I'm seriously considering carrying my tablet with me everywhere instead.


----------



## mikho (Jun 3, 2013)

Damian said:


> We implemented 2FA for our WHMCS login. Since i'm the only one of our team that doesn't carry a smartphone, I use a yubikey, while everyone else uses OTP from GAuthenticator.
> 
> 
> I find it *extremely* difficult to remember to carry my yubikey. There have been times I get to the office and realize that my yubikey is at home. I'm seriously considering carrying my tablet with me everywhere instead.


Perhaps hou should take a look at phonefactor?


I think it needs windows to run the acent on but you can implement it on most servers.


It doesn't require a smartphone, it van instead call you when you log in and you authenticate using that phonecall. Or use text messages instead.


----------

