Reading Time: 3 minutes, 40 secs

Use Google Authenticator for SSH

I have recently setup two factor authentication on my server using Google Authenticator, I thought it would be a good idea to share with you guys the way I achieved this and some issues I bumped into along the way.

Install NTP to synchronize the system clock (Very important or nothing will work)

Login via ssh as root user.
Type the following command to install ntp:

Install make and disable SELinux

Install Make:

Open SE Linux Config for editing:

Change:

To:

save the file and then reboot the server.

Install and setup the Google-Authentication PAM module on your server

Make sure that you have the “link EPEL” repo installed so that you will be able to install everything. I normally install it and then disable it, and only –enablerepo when it is needed.

On CentOS 5.x

If you don’t yet have Python 2.6 installed install it: – this will install in in parallel with python2.4 so as not to break yum:

once installed lets install some dependencies – I have added a couple just in case I need them:

On Centos 6.x

You will already have Python 2.6 running so you wont need to install that – lets just install some dependencies in case we need them:

Now we need to download and install git

Make a directory for the authenticator and go into it:

Download the SVN for google authenticator:

Change to to downloaded directory (on mine I also had to cd into libpam)

Run make and make install:

If all goes well you should now have the Google-Authentication PAM module on your server, if not then please leave a comment and I will help as best I can 🙂

Setup PAM authentication on the SSH server to work with the Google-Authentication PAM module

Now we need to configure Pam auth for SSH:

change the file to this – basically adding the “auth required pam_google_authenticator.so” line:

Skip two-factor authentication if logging in from the local network

At first this is all very cool, but soon it becomes a bit annoying, too. When I SSH from a local network, I just don’t want to enter the verification code because I trust my local network. When I SSH from remote, a verification code is required. One way to arrange that, is always login with certificates. But there is another way to configure it: using the pam_access module. Try this config:

The config file, /etc/security/access-local.conf looks like:

Local login attempts from 10.0.0.0/24 will not require two-factor authentication, while all others do.
Now we need to edit the ssh daemon configuration file.

Uncomment:

Comment out:

Make sure that:

To make your system truly secure – you might want to disable PubkeyAuthentication:

**NOW STOP and make sure that second SSH session is working because you can then edit /etc/ssh/sshd_config & /etc/pam.d/sshd if something goes wrong. Otherwise you are going to need to make these changes on the local console

Restart the SSH daemon:

Then run the google authenticator on the server by running:

You should see something like:

Answer each of the question to best suit your needs – I said Yes to everything except the “you can increase the window from its default size of 1:30min to about 4min.

Note: The emergency scratch codes are one-time use verification codes in the event your phone is unavailable. So save these somewhere save!

In your browser, load the URL noted above; it will show a QRCode that you can scan into your phone using the Google Authenticator application for Android, iPhone or Blackberry. If you already have a Google Authenticator token being generated on your phone, you can add a new one and it will display them both.

  • Start the app on your phone:
  • choose to add by scanning the barcode and then using the url from above in your browser scan the barcode.

If all is working you should be able to SSH in with the username, then authentication code from your phone/device and then your password.

0 Likes

Leave a Comment.