Skip to content
{ 2013 01 23 }

Google Two Factor Authentication and SSH

For my research and during my free time I’m managing and using multiple  GNU/Linux machines over SSH so I decided to try the Google Two Factor Authentication. Google Authenticator is a completely open source project, this means that you can compile the sources from scratch, contribute to the project, or even examine and read the source code.

The two factor authentication is based on time, which means that once installed on your server, and on your phone, you will have approximately 30 seconds to 4 minutes to enter the code provided by the Google app to be able to log in on the server. The two factor authentication provides the user a second layer of security  which might be useful if you deal with confidential information, or simply to avoid your server from being hacker from a brute-force attack. This article is thus a simple “How to”  covering the installation of the Google Two Factor Authentication on an Ubuntu Server.

Installing Google Authenticator :

The first step to install the two factor authentication is to install the pluggable authentication module (PAM). The first way of doing it is to download the source code and to compile it, however in this “how to” we will simply install the package via the command line.

Screen Shot 2013-01-23 at 11.31.04

 
 
 

This command line is installing the PAM module / authentication module on the system.

Creating an Authentication Key :

To be able to use the two factor authentication, each user will have to create an authentication key. You will thus need to repeat this step for each user on your system. In this case I did it for the root user, however keep in mind that it is not recommended to log and administrate a server as root

To do so run the following command  without sudo  otherwise the two factor authentication will be applied to the root user.

google authenticator

 
 
 

Some questions should also appear here Is what I answered :

Once answered the following screen should appear :

QR code

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

As you can see, a QR code has been generated, you can scan it with your mobile phone and the phone will automatically pick up the secret key and the username for which it has been activated. Or you can simply add the user manually on your phone and add the secret key.  The emergency scratch code should however been kept safe since they are “rescue codes” in case you would lose your phone, this seems to me like the biggest weakness of that system. 

 

Activating Google Authenticator :

To activate google authenticator you will need to edit two files. They need to be modified to tell the system that it needs to use the PAM module we installed when a user tries to log in via SSH. To do so  use the following commands.

Screen Shot 2013-01-23 at 12.31.31

 
 

And add the following lines at the end of the file:

Screen Shot 2013-01-23 at 11.38.02
 
 

Then edit the following file

Screen Shot 2013-01-23 at 12.31.52
 
 

and modify the existing line as shown

Screen Shot 2013-01-23 at 11.38.44
 
 

You can now restart ssh

Screen Shot 2013-01-23 at 12.36.08

 
 

and use the google two way authentication with your smartphone.

Sources :

  1. http://code.google.com/p/google-authenticator/

  2. Google Authenticator on iOS

  3. Two Factor Authentication for Gmail
Posted by Noktec on Wednesday, January 23, 2013, at 12 h 46 min. Filed under Linux, Security. Tagged , , . Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.

Post a Comment

Your email is never published nor shared. Required fields are marked *