amuck-landowner

Google Authenticator on VPS

juan

New Member
What are the pros and cons? Is it any better than having just Key-Based Auth? Can it be installed together with Key-Based Auth? Thanks!
 

walesmd

New Member
Google Authenticator is a two factor authentication system: it requires you to provide something you know (your Google account credentials) as well as something you physically have (your phone, in this case).


Historically authorization has been one-factor: something you know. Even key-based could be considered something you know as it's really nothing more than a really, really long password you've saved into a text file.


It is ridiculously more secure. After logging in with your Google account you will be presented with another form asking for your key. You'll get the key from the "something you have", Google Authenticator running on your phone.


Where does this key come from? I haven't reviewed Google's specific implementation so I'm going to talk generically about RSA's SecureID - which in fairly certain was the first implementation of two-factor authentication.


Although the key looks entirely random to you and I, it is actually generated by a complex and highly guarded algorithm (math problem). This math problem uses some information about you, along with the time, to generate a key that is only valid for short periods of time, usually 30 seconds. When you send this key to Google, the same math problem runs on their servers - if the result is the same, you're good!


I believe I may have glossed over this fact but it's important to note, the only data transmitted between the client and server is the key. Not much else for the most part and certainly nothing used within the algorithm. If it can be transmitted it can be intercepted.


Some of the cons: you can't login unless you have your phone with you which of typically not typo much of an issue. If you lose your device you won't have access but a phone call usually clears that up (they revoke your previous algorithm and setup a new one). Since time is a factor that can dinginess become an issue (think dying watch battery runs slower).


Pros: If I get your account info I still can't access your account; vice versa, get your device but I don't know your account.


Technically, yeah, it's possible to get running on your VPS. I'd have to review Google's documentation before I advise how feasible it would be. You'd also only be able to implement it where you have root; it would require changes on the server and I doubt your provider will let me dabble with their WHMCS install (yet, but that's a story for another day).


My advice: stick to keys, keep them backed up and install a script that emails you when someone gets in. On top of that have a contingency plan. For me, I have a secret phone number I can text a password to that activates SHUT EVERYTHING DOWN mode. My keys are revoked, passwords changed and only one user can login from one IP, plus a reboot to make sure the bad guy is gone.


Finally, if your provider sends you a password in plaintext, find a new provider. That's the most common security vulnerability I find - most providers simply don't know what they are doing or how to properly secure their service.


If there's interest I can clean up my OH SHIT script and release on GitHub, although I'd have to charge for the text receipts (or you implement your own). On a similar note: I know I've seen Google OAuth available for most of the control panels, convince your provider to implement that. Then Google's in charge of securing your password not them. On my phone or I'd look for it, but if it's not open source and there's interest I could whip something up with the assistance of control panel licensees. Same goes for two-factor.


Hope that helped!
 

Shados

Professional Snake Miner
If you're looking for two-factor authentication for SSH, also check out barada. It's pretty easy to set up, and uses HOTP (GAuth supports HOTP, TOTP and IIRC some other schemes).
 

KuJoe

Well-Known Member
Verified Provider
Duo Security looks promising. I've been planning on setting it up on some of my personal servers to test it out.
 

nunim

VPS Junkie
I've been looking at this and other solutions such as yubikey for a little while now but I didn't want to be limited by USB port access, all of these 2 factor authenticators have their flaws and advantages. I just bought a Nexus 7 so now that I finally have an android device I think I'll give it a shot, not that I need it... My data isn't really sensitive enough to require this but it'll be fun to play with :)
 

Shados

Professional Snake Miner
Other problem with Yubikey is that they essentially have access to your token, which makes your security somewhat weaker if you don't trust them/their security.
 

haris

New Member
Other problem with Yubikey is that they essentially have access to your token, which makes your security somewhat weaker if you don't trust them/their security.
you can program the slots of the yubikey to generate strings with your own way, I don't know how exactly though
 

walesmd

New Member
Google Authenticator can be used with a VPS.  I use it on a few of mine.

It doesn't use your Google account for login.  Like walesmd said above, it's a pseudo random number generated from a unique hash.

Google provide a PAM module that can be quite easily implemented.  There's a good howto here: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
It doesn't? Like I said, I haven't even read their docs yet (I've been way too busy since Google I/O), I was just referring to two-factor authentication in general... but, they have to be. If they are using the key only that's only fulfilling one requirement of two and surely someone would have called Google out on that fact by now...

Damnit, now I'm going to have to go read the documentation. You got me curious.

Edit: Ah - got it now! The link xmob provided is a pretty good, real quick and dirty, description of it. I just assumed it would somehow be linked to your Google Account but it's completely stand-alone (which is pretty cool I think). Definitely is two-factor though - the password of your user and then the key from the authenticator device. Thanks for keeping me straight xmob!
 
Last edited by a moderator:

acd

New Member
you can program the slots of the yubikey to generate strings with your own way, I don't know how exactly though
Each yubikey slot is a 128 bit aes key, which it then uses to generate OTPs, etc.

http://www.yubico.com/products/yubikey-hardware/yubikey/technical-description/

You can reprogram the key with their personalization tool, which makes it rather difficult for yubico to know your key.

http://www.yubico.com/products/services-software/personalization-tools/use/

I was surprised to read it doesn't use RSA or ECDSA asymmetric cryptography; significantly damped my "wow" factor.
 

sDsB

New Member
I've got the pam module running on all my VPSes. They're all debian stable so you gotta compile from source. Takes less than a minute to setup once you've done it a few times.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
<hint>Would be cool if a member posted a tutorial on how to get started with this</hint> ;)
 

mikho

Not to be taken seriously, ever!
<hint>Would be cool if a member posted a tutorial on how to get started with this</hint> ;)
I think I have a draft saved that I was about to publish.... Can't remember why it's still a draft. Must be something that isn't working as it should.


I can try and go over the steps again this week and post an update.
 

Kris

New Member
Will check these out, very interesting for full dual-auth.

Wonder if there's an Authy type system yet... One can wish ^_^
 

mikho

Not to be taken seriously, ever!
I think I have a draft saved that I was about to publish.... Can't remember why it's still a draft. Must be something that isn't working as it should.


I can try and go over the steps again this week and post an update.
I must have deleted my draft, see if I an get it baxk from a backup and post it after setting it up and tested it.
 

Damian

New Member
Verified Provider
We implemented 2FA for our WHMCS login. Since i'm the only one of our team that doesn't carry a smartphone, I use a yubikey, while everyone else uses OTP from GAuthenticator. 

I find it extremely difficult to remember to carry my yubikey. There have been times I get to the office and realize that my yubikey is at home. I'm seriously considering carrying my tablet with me everywhere instead.
 

mikho

Not to be taken seriously, ever!
We implemented 2FA for our WHMCS login. Since i'm the only one of our team that doesn't carry a smartphone, I use a yubikey, while everyone else uses OTP from GAuthenticator.


I find it extremely difficult to remember to carry my yubikey. There have been times I get to the office and realize that my yubikey is at home. I'm seriously considering carrying my tablet with me everywhere instead.
Perhaps hou should take a look at phonefactor?


I think it needs windows to run the acent on but you can implement it on most servers.


It doesn't require a smartphone, it van instead call you when you log in and you authenticate using that phonecall. Or use text messages instead.
 
Top
amuck-landowner