{"id":13333,"date":"2019-04-01T20:29:20","date_gmt":"2019-04-01T20:29:20","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13333"},"modified":"2019-04-01T20:30:56","modified_gmt":"2019-04-01T20:30:56","slug":"how-to-setup-two-factor-authentication-google-authenticator-for-ssh-logins","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/01\/how-to-setup-two-factor-authentication-google-authenticator-for-ssh-logins\/","title":{"rendered":"How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins"},"content":{"rendered":"

By default,\u00a0SSH<\/strong>\u00a0already uses a secure data communication between remote machines, but if you want to add some extra security layer to your SSH connections, you can add a\u00a0Google Authenticator<\/strong>\u00a0(two-factor authentication<\/strong>) module that allow you to enter a random one-time password (TOTP<\/strong>) verification code while connecting to\u00a0SSH<\/strong>\u00a0servers. You\u2019ll have to enter the verification code from your\u00a0smartphone<\/strong>\u00a0or\u00a0PC<\/strong>\u00a0when you connect.<\/p>\n

The\u00a0Google Authenticator<\/strong>\u00a0is an open-source module that includes implementations of one-time passcodes (TOTP<\/strong>) verification token developed by\u00a0Google<\/strong>. It supports several mobile platforms, as well as\u00a0PAM<\/strong>\u00a0(Pluggable Authentication Module<\/strong>). These one-time passcodes are generated using open standards created by the\u00a0OATH<\/strong>(Initiative for Open Authentication<\/strong>).<\/p>\n

\n

\"SSH<\/a><\/p>\n

SSH Two Factor Authentication<\/p>\n<\/div>\n

In this article I will show you how to setup and configure SSH for two-factor authentication under\u00a0Red Hat<\/strong>,\u00a0CentOS<\/strong>,\u00a0Fedora<\/strong>\u00a0and\u00a0Ubuntu<\/strong>,\u00a0Linux Mint<\/strong>\u00a0and\u00a0Debian<\/strong>.<\/p>\n

Installing Google Authenticator Module<\/h3>\n

Open the machine that you want to setup two factor authentication and install following\u00a0PAM<\/strong>\u00a0libraries along with development libraries that are needed for the\u00a0PAM<\/strong>\u00a0module to work correctly with\u00a0Google authenticator<\/strong>module.<\/p>\n

On\u00a0Red Hat<\/strong>,\u00a0CentOS<\/strong>\u00a0and\u00a0Fedora<\/strong>\u00a0systems install the \u2018pam-devel<\/strong>\u2018 package.<\/p>\n

# yum install pam-devel make gcc-c++ wget<\/pre>\n
On\u00a0Ubuntu<\/strong>,\u00a0Linux Mint<\/strong>\u00a0and\u00a0Debian<\/strong>\u00a0systems install \u2018libpam0g-dev<\/strong>\u2018 package.<\/p>\n
# apt-get install libpam0g-dev make gcc-c++ wget<\/pre>\n
Download and extract\u00a0Google authenticator<\/strong>\u00a0module under\u00a0Home<\/strong>\u00a0directory (assume you are already logged in home directory of\u00a0root<\/strong>).<\/p>\n
# cd \/root\r\n# wget https:\/\/google-authenticator.googlecode.com\/files\/libpam-google-authenticator-1.0-source.tar.bz2\r\n# tar -xvf libpam-google-authenticator-1.0-source.tar.bz2<\/pre>\n
Type the following commands to compile and install\u00a0Google authenticator<\/strong>\u00a0module on the system.<\/p>\n
# cd libpam-google-authenticator-1.0\r\n# make\r\n# make install\r\n# google-authenticator<\/pre>\n
Once you run \u2018google-authenticator<\/strong>\u2018 command, it will prompt you with a serious of question. Simply type \u201cy<\/strong>\u201d (yes<\/strong>) as the answer in most situation. If something goes wrong, you can type again \u2018google-authenticator<\/strong>\u2018 command to reset the settings.<\/p>\n
    \n
  1. Do you want authentication tokens to be time-based (y\/n)\u00a0y<\/strong><\/li>\n<\/ol>\n
    After this question, you will get your \u2018secret key<\/strong>\u2018 and \u2018emergency codes<\/strong>\u2018. Write down these details somewhere, we will need the\u00a0\u2018secret key<\/strong>\u2018 later on to setup\u00a0Google Authenticator<\/strong>\u00a0app.<\/p>\n
    [root@tecmint libpam-google-authenticator-1.0]# google-authenticator\r\n\r\nDo you want authentication tokens to be time-based (y\/n) y<\/strong>\r\nhttps:\/\/www.google.com\/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth:\/\/totp\/root@tecmint.com%3Fsecret%3DXEKITDTYCBA2TLPL\r\nYour new secret key<\/strong> is: XEKITDTYCBA2TLPL<\/strong>\r\nYour verification code<\/strong> is 461618\r\nYour emergency scratch codes<\/strong> are:\r\n  65083399\r\n  10733609\r\n  47588351\r\n  71111643\r\n  92017550\r\n<\/strong><\/pre>\n
    Next, follow the setup wizard and in most cases type answer as \u201cy<\/strong>\u201d (yes<\/strong>) as shown below.<\/p>\n
    Do you want me to update your \"\/root\/.google_authenticator\" file (y\/n) y<\/strong>\r\n\r\nDo you want to disallow multiple uses of the same authentication\r\ntoken? This restricts you to one login about every 30s, but it increases\r\nyour chances to notice or even prevent man-in-the-middle attacks (y\/n) y<\/strong>\r\n\r\nBy default, tokens are good for 30 seconds and in order to compensate for\r\npossible time-skew between the client and the server, we allow an extra\r\ntoken before and after the current time. If you experience problems with poor\r\ntime synchronization, you can increase the window from its default\r\nsize of 1:30min to about 4min. Do you want to do so (y\/n) y<\/strong>\r\n\r\nIf the computer that you are logging into isn't hardened against brute-force\r\nlogin attempts, you can enable rate-limiting for the authentication module.\r\nBy default, this limits attackers to no more than 3 login attempts every 30s.\r\nDo you want to enable rate-limiting (y\/n) y\r\n<\/strong><\/pre>\n
    Configuring SSH to use Google Authenticator Module<\/h3>\n
    Open the\u00a0PAM<\/strong>\u00a0configuration file \u2018\/etc\/pam.d\/sshd<\/strong>\u2018 and add the following line to the top of the file.<\/p>\n
    auth       required     pam_google_authenticator.so<\/pre>\n
    Next, open the\u00a0SSH<\/strong>\u00a0configuration file \u2018\/etc\/ssh\/sshd_config<\/strong>\u2018 and scroll for fine the line that says.<\/p>\n
    ChallengeResponseAuthentication no<\/pre>\n
    Change it to \u201cyes<\/strong>\u201c. So, it becomes like this.<\/p>\n
    ChallengeResponseAuthentication yes<\/pre>\n
    Finally, restart\u00a0SSH<\/strong>\u00a0service to take new changes.<\/p>\n
    # \/etc\/init.d\/sshd restart<\/pre>\n
    Configuring Google Authenticator App<\/h3>\n
    Launch\u00a0Google Authenticator<\/strong>\u00a0app in your smartphone. Press\u00a0Menu<\/strong>\u00a0and choose \u201cSetup an account<\/strong>\u201c. If you don\u2019t have this app, you can download and install\u00a0Google Authenticator<\/a>\u00a0app on your\u00a0Android\/iPhone\/Blackberry<\/strong>devices.<\/p>\n
    \n
    \"Google<\/a><\/p>\n
    Google Authenticator Setup Account<\/p>\n<\/div>\n
    Press \u201cEnter key provided<\/strong>\u201d.<\/p>\n
    \n
    \"Google<\/a><\/p>\n
    Enter Google Authenticator Secret Key<\/p>\n<\/div>\n
    Add your account \u2018Name<\/strong>\u2018 and enter the \u2018secret key<\/strong>\u2018 generated earlier.<\/p>\n
    \n
    \"Google<\/a><\/p>\n
    Google Authenticator Account Name and Secret Key<\/p>\n<\/div>\n
    It will generate one time password (verification code<\/strong>) that will constantly changing every\u00a030sec<\/strong>\u00a0on your phone.<\/p>\n
    \n
    \"Google<\/a><\/p>\n
    Google Authenticator One Time Password<\/p>\n<\/div>\n
    Now try to login via\u00a0SSH<\/strong>, you will be prompted with\u00a0Google Authenticator code<\/strong>\u00a0(Verification code<\/strong>) and\u00a0Password<\/strong>\u00a0whenever you attempt to log in via\u00a0SSH<\/strong>. You have only\u00a030 seconds<\/strong>\u00a0to enter this verification code, if you miss it will regenerate new verification code.<\/p>\n
    login as: tecmint\r\nAccess denied\r\nUsing keyboard-interactive authentication.\r\nVerification code<\/strong>:\r\nUsing keyboard-interactive authentication.\r\nPassword:\r\nLast login: Tue Apr 23 13:58:29 2013 from 172.16.25.125\r\n[root@tecmint ~]#<\/pre>\n
    If you don\u2019t have smartphone, you can also use a\u00a0Firefox<\/strong>\u00a0add-on called\u00a0GAuth Authenticator<\/a>\u00a0to do two-factor authentication.<\/p>\n
    Important<\/strong>: The two-factor authentication works with password based SSH login. If you are using any\u00a0private\/public key SSH session<\/a>, it will ignore two-factor authentication and log you in directly.<\/p>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    By default,\u00a0SSH\u00a0already uses a secure data communication between remote machines, but if you want to add some extra security layer to your SSH connections, you can add a\u00a0Google Authenticator\u00a0(two-factor authentication) module that allow you to enter a random one-time password (TOTP) verification code while connecting to\u00a0SSH\u00a0servers. You\u2019ll have to enter the verification code from your\u00a0smartphone\u00a0or\u00a0PC\u00a0when … <\/p>\n
    Continue reading “How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13333","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13333"}],"version-history":[{"count":2,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13333\/revisions"}],"predecessor-version":[{"id":13335,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13333\/revisions\/13335"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}