ComputerTrophy
New Member
This is a personal favourite of mine. In this tutorial, I will be showing you how to set up two-factor authentication for your SSH.
Here's a basic outline of what happens:
If you use Google Authenticator + Password: It asks for your two-factor code first, then password.
If you use private/public key SSH session + Google Authenticator (+ Password): It will ignore two-factor and log you in directly. (In other words, rendering this tutorial somewhat useless and a waste of time.)
Installing the Module
To get started, install the PAM packages:
Red Hat distributions:
yum install pam-devel make gcc-c++ wget
Ubuntu, Debian, etc. distributions:
apt-get install libpam0g-dev make gcc-c++ wget
Let's extract authenticator under the home directory (assuming you are root):
cd /root
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2
Now we need to compile and install:
cd libpam-google-authenticator-1.0
make
make install
google-authenticator
If anything goes wrong, feel free to start again by typing 'google-authenticator' after exiting the installation.
During the installation, you will be asked questions. I personally hit 'y' for all of them, but since these are mainly personal preferences, be sure to read more about them and choose accordingly.
It is imperative that you select 'y' for authentication tokens to be time-based.
Once installation is finished, you will be presented with:
Configuring SSH to use Google Authenticator Module
Open the PAM configuration file by using your preferred text editor. For example:
nano /etc/pam.d/sshd
OR
vi /etc/pam.d/sshd
At the top of the file, add this line:
auth required pam_google_authenticator.so
Save and exit the file.
Open the SSH configuration file at '/etc/ssh/sshd_config' by also using your preferred text editor, and change the "no" in the following line to "yes":
ChallengeResponseAuthentication no
Restart SSH:
/etc/init.d/sshd restart
Using Google Authenticator
After installing Google Authenticator, go to "Set up account", and either:
If it doesn't work, close your new SSH connection, go back to your old one and install 'google-authenticator' again.
If it does work, you can close your SSH connections, sit back and congratulate yourself.
Source: http://www.tecmint.com/ssh-two-factor-authentication/
Here's a basic outline of what happens:
If you use Google Authenticator + Password: It asks for your two-factor code first, then password.
If you use private/public key SSH session + Google Authenticator (+ Password): It will ignore two-factor and log you in directly. (In other words, rendering this tutorial somewhat useless and a waste of time.)
Installing the Module
To get started, install the PAM packages:
Red Hat distributions:
yum install pam-devel make gcc-c++ wget
Ubuntu, Debian, etc. distributions:
apt-get install libpam0g-dev make gcc-c++ wget
Let's extract authenticator under the home directory (assuming you are root):
cd /root
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2
Now we need to compile and install:
cd libpam-google-authenticator-1.0
make
make install
google-authenticator
If anything goes wrong, feel free to start again by typing 'google-authenticator' after exiting the installation.
During the installation, you will be asked questions. I personally hit 'y' for all of them, but since these are mainly personal preferences, be sure to read more about them and choose accordingly.
It is imperative that you select 'y' for authentication tokens to be time-based.
Once installation is finished, you will be presented with:
- A https://www.google.com/chart? URL. Copy and paste that into your web browser for a QR code of your secret key.
- Your secret key.
- Your verification code.
- Your emergency scratch codes.
Configuring SSH to use Google Authenticator Module
Open the PAM configuration file by using your preferred text editor. For example:
nano /etc/pam.d/sshd
OR
vi /etc/pam.d/sshd
At the top of the file, add this line:
auth required pam_google_authenticator.so
Save and exit the file.
Open the SSH configuration file at '/etc/ssh/sshd_config' by also using your preferred text editor, and change the "no" in the following line to "yes":
ChallengeResponseAuthentication no
Restart SSH:
/etc/init.d/sshd restart
Using Google Authenticator
After installing Google Authenticator, go to "Set up account", and either:
- "Scan a barcode" using the QR code from the https://www.google.com/chart? URL.
- Manually enter your secret key using "Enter key provided".
If it doesn't work, close your new SSH connection, go back to your old one and install 'google-authenticator' again.
If it does work, you can close your SSH connections, sit back and congratulate yourself.
Source: http://www.tecmint.com/ssh-two-factor-authentication/
