Linux Two-Factor Authentication with Google Authenticator Module

ComputerTrophy

New Member
This is a personal favourite of mine. In this tutorial, I will be showing you how to set up two-factor authentication for your SSH. 

Here's a basic outline of what happens:

If you use Google Authenticator + Password: It asks for your two-factor code first, then password.

If you use private/public key SSH session + Google Authenticator (+ Password): It will ignore two-factor and log you in directly. (In other words, rendering this tutorial somewhat useless and a waste of time.)

Installing the Module

To get started, install the PAM packages:

Red Hat distributions:

yum install pam-devel make gcc-c++ wget

Ubuntu, Debian, etc. distributions:

apt-get install libpam0g-dev make gcc-c++ wget

Let's extract authenticator under the home directory (assuming you are root):

cd /root

wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

 

Now we need to compile and install:

cd libpam-google-authenticator-1.0
make
make install
google-authenticator

 


If anything goes wrong, feel free to start again by typing 'google-authenticator' after exiting the installation.


During the installation, you will be asked questions. I personally hit 'y' for all of them, but since these are mainly personal preferences, be sure to read more about them and choose accordingly. 
It is imperative that you select 'y' for authentication tokens to be time-based.

 

Once installation is finished, you will be presented with:

  • A https://www.google.com/chart? URL. Copy and paste that into your web browser for a QR code of your secret key.
  • Your secret key.
  • Your verification code.
  • Your emergency scratch codes.
Write your emergency scratch codes down, or store them safely. Same goes for your secret key. Don't lose them!

Configuring SSH to use Google Authenticator Module

Open the PAM configuration file by using your preferred text editor. For example:

nano /etc/pam.d/sshd

OR

vi /etc/pam.d/sshd

At the top of the file, add this line:

auth required pam_google_authenticator.so

Save and exit the file.

Open the SSH configuration file at '/etc/ssh/sshd_config' by also using your preferred text editor, and change the "no" in the following line to "yes":

ChallengeResponseAuthentication no

Restart SSH:

/etc/init.d/sshd restart

Using Google Authenticator

After installing Google Authenticator, go to "Set up account", and either:

Do not log out of SSH (yet)! Instead, create a new SSH connection and attempt to log in using your new one-time password.

If it doesn't work, close your new SSH connection, go back to your old one and install 'google-authenticator' again.

If it does work, you can close your SSH connections, sit back and congratulate yourself.

Source: http://www.tecmint.com/ssh-two-factor-authentication/
 

HalfEatenPie

The Irrational One
Retired Staff
Awesome tutorial.  We had a discussion about how to do this a while back if I remember!  

By the way, is there any specific ways we can fix this if something goes wrong or if it stops working?  Or do we basically just have to run the installer again?
 

ComputerTrophy

New Member
Awesome tutorial.  We had a discussion about how to do this a while back if I remember!  

By the way, is there any specific ways we can fix this if something goes wrong or if it stops working?  Or do we basically just have to run the installer again?
Run the installer again.

You can disable it by removing 'auth required pam_google_authenticator.so', as well as changing 'ChallengeResponseAuthentication' back from 'Yes' to 'No'.
 

365Networks

New Member
Can't wait to try this out! Sadly I am unable to get the Authenticator app downloaded onto my BlackBerry. :( Will try again soon though.
 
Top