Google Authenticator on VPS
- Thread starter juan
- Start date
-
- Tags
- vps security
Google Authenticator is a two factor authentication system: it requires you to provide something you know (your Google account credentials) as well as something you physically have (your phone, in this case).
Historically authorization has been one-factor: something you know. Even key-based could be considered something you know as it's really nothing more than a really, really long password you've saved into a text file.
It is ridiculously more secure. After logging in with your Google account you will be presented with another form asking for your key. You'll get the key from the "something you have", Google Authenticator running on your phone.
Where does this key come from? I haven't reviewed Google's specific implementation so I'm going to talk generically about RSA's SecureID - which in fairly certain was the first implementation of two-factor authentication.
Although the key looks entirely random to you and I, it is actually generated by a complex and highly guarded algorithm (math problem). This math problem uses some information about you, along with the time, to generate a key that is only valid for short periods of time, usually 30 seconds. When you send this key to Google, the same math problem runs on their servers - if the result is the same, you're good!
I believe I may have glossed over this fact but it's important to note, the only data transmitted between the client and server is the key. Not much else for the most part and certainly nothing used within the algorithm. If it can be transmitted it can be intercepted.
Some of the cons: you can't login unless you have your phone with you which of typically not typo much of an issue. If you lose your device you won't have access but a phone call usually clears that up (they revoke your previous algorithm and setup a new one). Since time is a factor that can dinginess become an issue (think dying watch battery runs slower).
Pros: If I get your account info I still can't access your account; vice versa, get your device but I don't know your account.
Technically, yeah, it's possible to get running on your VPS. I'd have to review Google's documentation before I advise how feasible it would be. You'd also only be able to implement it where you have root; it would require changes on the server and I doubt your provider will let me dabble with their WHMCS install (yet, but that's a story for another day).
My advice: stick to keys, keep them backed up and install a script that emails you when someone gets in. On top of that have a contingency plan. For me, I have a secret phone number I can text a password to that activates SHUT EVERYTHING DOWN mode. My keys are revoked, passwords changed and only one user can login from one IP, plus a reboot to make sure the bad guy is gone.
Finally, if your provider sends you a password in plaintext, find a new provider. That's the most common security vulnerability I find - most providers simply don't know what they are doing or how to properly secure their service.
If there's interest I can clean up my OH SHIT script and release on GitHub, although I'd have to charge for the text receipts (or you implement your own). On a similar note: I know I've seen Google OAuth available for most of the control panels, convince your provider to implement that. Then Google's in charge of securing your password not them. On my phone or I'd look for it, but if it's not open source and there's interest I could whip something up with the assistance of control panel licensees. Same goes for two-factor.
Hope that helped!
Historically authorization has been one-factor: something you know. Even key-based could be considered something you know as it's really nothing more than a really, really long password you've saved into a text file.
It is ridiculously more secure. After logging in with your Google account you will be presented with another form asking for your key. You'll get the key from the "something you have", Google Authenticator running on your phone.
Where does this key come from? I haven't reviewed Google's specific implementation so I'm going to talk generically about RSA's SecureID - which in fairly certain was the first implementation of two-factor authentication.
Although the key looks entirely random to you and I, it is actually generated by a complex and highly guarded algorithm (math problem). This math problem uses some information about you, along with the time, to generate a key that is only valid for short periods of time, usually 30 seconds. When you send this key to Google, the same math problem runs on their servers - if the result is the same, you're good!
I believe I may have glossed over this fact but it's important to note, the only data transmitted between the client and server is the key. Not much else for the most part and certainly nothing used within the algorithm. If it can be transmitted it can be intercepted.
Some of the cons: you can't login unless you have your phone with you which of typically not typo much of an issue. If you lose your device you won't have access but a phone call usually clears that up (they revoke your previous algorithm and setup a new one). Since time is a factor that can dinginess become an issue (think dying watch battery runs slower).
Pros: If I get your account info I still can't access your account; vice versa, get your device but I don't know your account.
Technically, yeah, it's possible to get running on your VPS. I'd have to review Google's documentation before I advise how feasible it would be. You'd also only be able to implement it where you have root; it would require changes on the server and I doubt your provider will let me dabble with their WHMCS install (yet, but that's a story for another day).
My advice: stick to keys, keep them backed up and install a script that emails you when someone gets in. On top of that have a contingency plan. For me, I have a secret phone number I can text a password to that activates SHUT EVERYTHING DOWN mode. My keys are revoked, passwords changed and only one user can login from one IP, plus a reboot to make sure the bad guy is gone.
Finally, if your provider sends you a password in plaintext, find a new provider. That's the most common security vulnerability I find - most providers simply don't know what they are doing or how to properly secure their service.
If there's interest I can clean up my OH SHIT script and release on GitHub, although I'd have to charge for the text receipts (or you implement your own). On a similar note: I know I've seen Google OAuth available for most of the control panels, convince your provider to implement that. Then Google's in charge of securing your password not them. On my phone or I'd look for it, but if it's not open source and there's interest I could whip something up with the assistance of control panel licensees. Same goes for two-factor.
Hope that helped!
xmob
New Member
Google Authenticator can be used with a VPS. I use it on a few of mine.
It doesn't use your Google account for login. Like walesmd said above, it's a pseudo random number generated from a unique hash.
Google provide a PAM module that can be quite easily implemented. There's a good howto here: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
It doesn't use your Google account for login. Like walesmd said above, it's a pseudo random number generated from a unique hash.
Google provide a PAM module that can be quite easily implemented. There's a good howto here: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
nunim
VPS Junkie
I've been looking at this and other solutions such as yubikey for a little while now but I didn't want to be limited by USB port access, all of these 2 factor authenticators have their flaws and advantages. I just bought a Nexus 7 so now that I finally have an android device I think I'll give it a shot, not that I need it... My data isn't really sensitive enough to require this but it'll be fun to play with 
haris
New Member
you can program the slots of the yubikey to generate strings with your own way, I don't know how exactly though
It doesn't? Like I said, I haven't even read their docs yet (I've been way too busy since Google I/O), I was just referring to two-factor authentication in general... but, they have to be. If they are using the key only that's only fulfilling one requirement of two and surely someone would have called Google out on that fact by now...
Damnit, now I'm going to have to go read the documentation. You got me curious.
Edit: Ah - got it now! The link xmob provided is a pretty good, real quick and dirty, description of it. I just assumed it would somehow be linked to your Google Account but it's completely stand-alone (which is pretty cool I think). Definitely is two-factor though - the password of your user and then the key from the authenticator device. Thanks for keeping me straight xmob!
Last edited by a moderator:
acd
New Member
Each yubikey slot is a 128 bit aes key, which it then uses to generate OTPs, etc.
http://www.yubico.com/products/yubikey-hardware/yubikey/technical-description/
You can reprogram the key with their personalization tool, which makes it rather difficult for yubico to know your key.
http://www.yubico.com/products/services-software/personalization-tools/use/
I was surprised to read it doesn't use RSA or ECDSA asymmetric cryptography; significantly damped my "wow" factor.
mikho
Not to be taken seriously, ever!
I think I have a draft saved that I was about to publish.... Can't remember why it's still a draft. Must be something that isn't working as it should.<hint>Would be cool if a member posted a tutorial on how to get started with this</hint>
I can try and go over the steps again this week and post an update.
juan
New Member
Last edited by a moderator:
mikho
Not to be taken seriously, ever!
I must have deleted my draft, see if I an get it baxk from a backup and post it after setting it up and tested it.
nunim
VPS Junkie
Spent awhile trying to make a little bash script for auto-installation but I am having issues with ensuring that sshd_config is set correctly as it seems to be impossible to do what I'm trying with sed and I'm not as familiar with awk..
In the meantime, a simple tutorial for Debian/Ubuntu/CentOS/RHEL... http://vpsboard.com/index.php?/topic/504-how-to-setup-google-authenticator
In the meantime, a simple tutorial for Debian/Ubuntu/CentOS/RHEL... http://vpsboard.com/index.php?/topic/504-how-to-setup-google-authenticator
We implemented 2FA for our WHMCS login. Since i'm the only one of our team that doesn't carry a smartphone, I use a yubikey, while everyone else uses OTP from GAuthenticator.
I find it extremely difficult to remember to carry my yubikey. There have been times I get to the office and realize that my yubikey is at home. I'm seriously considering carrying my tablet with me everywhere instead.
I find it extremely difficult to remember to carry my yubikey. There have been times I get to the office and realize that my yubikey is at home. I'm seriously considering carrying my tablet with me everywhere instead.
mikho
Not to be taken seriously, ever!
Perhaps hou should take a look at phonefactor?
I think it needs windows to run the acent on but you can implement it on most servers.
It doesn't require a smartphone, it van instead call you when you log in and you authenticate using that phonecall. Or use text messages instead.