» How to Secure SSH with Google Authenticator’s Two-Factor Authentication

Standard

http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

How to Secure SSH with Google Authenticator’s Two-Factor Authentication
Published on August 14th, 2012  |  Written by: Chris Hoffman

Want to secure your SSH server with easy-to-use two-factor authentication? Google provides the necessary software to integrate Google Authenticator’s time-based one-time password (TOTP) system with your SSH server. You’ll have to enter the code from your phone when you connect.

Google Authenticator doesn’t “phone home” to Google — all the work happens on your SSH server and your phone. In fact, Google Authenticator is completely open-source, so you can even examine its source code yourself.

Install Google Authenticator
To implement multifactor authentication with Google Authenticator, we’ll need the open-source Google Authenticator PAM module. PAM stands for “pluggable authentication module” – it’s a way to easily plug different forms of authentication into a Linux system.

Ubuntu’s software repositories contain an easy-to-install package for the Google Authenticator PAM module. If your Linux distribution doesn’t contain a package for this, you’ll have to download it from the Google Authenticator downloads page on Google Code and compile it yourself.

To install the package on Ubuntu, run the following command:

sudo apt-get install libpam-google-authenticator

(This will only install the PAM module on our system – we’ll have to activate it for SSH logins manually.)

Create an Authentication Key
Log in as the user you’ll be logging in with remotely and run the google-authenticator command to create a secret key for that user.

Allow the command to update your Google Authenticator file by typing y. You’ll then be prompted with several questions that will allow you to restrict uses of the same temporary security token, increase the time window that tokens can be used for, and limit allowed acces attempts to hinder brute-force cracking attempts. These choices all trade some security for some ease-of-use.

Google Authenticator will present you with a secret key and several “emergency scratch codes.” Write down the emergency scratch codes somewhere safe – they can only be used one time each, and they’re intended for use if you lose your phone.

Enter the secret key in the Google Authenticator app on your phone (official apps are available for Android, iOS, and Blackberry). You can also use the scan barcode feature – go to the URL located near the top of the command’s output and you can scan a QR code with your phone’s camera.

You’ll now have a constantly changing verification code on your phone.

If you want to log in remotely as multiple users, run this command for each user. Each user will have their own secret key and their own codes.

Activate Google Authenticator
Next you’ll have to require Google Authenticator for SSH logins. To do so, open the /etc/pam.d/sshd file on your system (for example, with the sudo nano /etc/pam.d/sshd command) and add the following line to the file:

auth required pam_google_authenticator.so

Next, open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line, and change it to read as follows:

ChallengeResponseAuthentication yes

(If the ChallengeResponseAuthentication line doesn’t already exist, add the above line to the file.)

Finally, restart the SSH server so your changes will take effect:

sudo service ssh restart

You’ll be prompted for both your password and Google Authenticator code whenever you attempt to log in via SSH.

15 Responses

JEAN-FRANCOIS MESSIER
August 14, 2012 at 8:00 am
Excellent article. I use this authenticator for my main GMail account for a while now, and I really like the fact that I can have multiple secret keys and number generators on my phone. The trick is now to see whether I can replicate the secret key across multiple servers to have a single generated code to access multiple servers.

FOO
August 14, 2012 at 8:38 am
I’m in love with Google’s 2-factor auth. I use it for Google account(obviously), LastPass, SSH, and once implemented…dropbox =D

REKLAIMER
August 14, 2012 at 11:07 am
Tried this under my ubuntu 10.10 server. Even when adding a repo manually that I found it still could not find the libpam-google-authenticator package. Maybe it just doesn’t work for 10.10?

FOOBAR
August 14, 2012 at 12:53 pm
Someone needs to add this to Tomato/DD-WRT

TIM
August 14, 2012 at 3:42 pm
I had this on my SSH server for a little while… it worked really well… and then I went to connect with WinSCP… there isn’t a great implementation for connecting via SFTP.

CPRADIO
August 14, 2012 at 6:32 pm
I’m with Tim, I can’t really use this without WinSCP support…. sigh

DELTARAY
August 14, 2012 at 11:01 pm
It seems that you’re using a libvte based terminal (gnome-terminal) in your example screenshots, since you are concerned enough about security to implement two factor auth, you really should check out this document, which documents a major security flaw in that library:

http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html

TOTO
August 16, 2012 at 3:19 am
Interesting article, the idea looks interesting.

Just a quick question, can you still have several way to connect to your ssh server at the same time?

Basically, I’m usually connecting to my ssh server from my laptop or tablet, so I created a public/private pair of key (DSA), because it’s faster, more secure etc…

I would like to use the google system but only if I’m not able to use my private key. Is there is a a way to do that?
Thanks,

REARDEN
August 16, 2012 at 2:16 pm
For those that are concerned about your smart phone not have battery charge on being in an area that has no coverage, there is a simpler alternative at: http://taferno.sourceforge.net

It uses simple USB flash drives and provides Two-Factor Authentication for:
1. OpenVPN
2. SSH
3. Web Single Sign On

DAVE
August 16, 2012 at 6:01 pm
To both Tim and cpradio, not sure what you’re on about here. I’ve had Google Authenticator set-up for some time now on my SSH server, WinSCP seems to work fine for me. Just make sure you’re running the latest version. Failing that, if you use SSH keys, two factor authentication is bypassed. WinSCP supports both Challenge Response and SSH keys.

BOBBY
August 17, 2012 at 12:21 am
A million thank-yous!

NANAKOS CHRYSOSTOMOS
August 17, 2012 at 3:07 pm
I think that the yubikey or softyubikey for gnome, kde, cinnamon and mate is a better solution. Please check them out. I solves all previous problems. Cheers!

ASELVAN
August 22, 2012 at 9:02 am
@Toto: if you don’t have your private key on a device you are trying to login from, and you have setup the two-factor authentication with google authenticator, sshd will do two factor authentication. You don’t have to do anything, it will work exactly like you want. I have the same need and it works correctly i.e. uses key based login where private keys are available and two factor when keys are not available.

TOTO
August 23, 2012 at 5:41 am
@aselvan : Thanks for your input, I actually tried that and it worked like a charm.

For those of you who are interested to do so, I recommend you to set the shared key as preferred login method.

ANDREW
September 13, 2012 at 12:30 am
Hi

I have two types of authentication on my server.
One is used just for my account to administer the server (not root) that has public/private keys
The second has just user and pass, but has shell access restricted, are locked in to using a shared ftp folder and are restricted from doing pretty much anything but ftp and http forwarding. (via a group policy in sshd)

I can see that above toto had asked if it was possible to use either public keys or authenticator if not available. is it possible to have the authenticator AND the pub/private key for the standard account, while leaving the accounts in my restricted group untouched.

its probably overkill, with what feels like 3 step protection, but i am curious if it is possible.

1,984 total views, 5 views today

Linux 2.4 Kernel Is Done

Standard

From: http://www.phoronix.com/scan.php?page=news_item&px=MTA4NDg
Linux 2.4 Kernel Is Done

Posted by Michael Larabel on April 09, 2012

Development on the Linux 2.4 kernel is now officially over with no more maintenance releases being expected.

Back in September of 2010 I wrote about the plans for the Linux 2.4 kernel to go end-of-life and now it’s finally reached that state. Willy Tarreau confirmed this morning in a mailing list message that there will be no further 2.4.x point releases.
Hi all,

15 months ago I announced that if no more critical fix was to be merged by one year, 2.4 would be EOLed after a year (around december 2011). The break-in of last year made things a bit difficult for some users but nothing really important for 2.4 users was merged since, so the EOL had no reason to be delayed.

However since the break-in, I was surprized to see that some users have asked where to find the 2.4 git tree to pick some fixes from it. After discussing with several of them, it appears that they’re not really interested in releases, rather just in having a place where fixes are
centralized and that the git tree is perfect for this. So I revived the git tree in my account and will probably push a patch there once in a while if people ask for this, but with no guarantees.

Anyway I don’t intend to waste any more space on kernel.org with tar.gz files nor patches that too few people use.

The repository is now available here :

http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git

If anyone has any question, feel free to ask.

Willy
Meanwhile, upstream Linux kernel development is approaching the Linux 3.4 kernel.

589 total views, 4 views today

How to mount a remote directory using SSH via SSHFS

Standard

From: http://www.linuxnix.com/2011/03/mount-directory-locally-linux-sshfs.html

Step1:Installing Package

On Ubuntu/Debain

On Redhat/CentOS/Fedora

Step2:Once the package is installed we have to create a mount point and mount our  server data using sshfs command, for which we require  user-name/password. Here are my details for this task.

Now create the mount point and mount SSH account data.

Step3:Testing our set-up

Check if you are able to see the SSH data

#cd /mnt/ssh

#ls

Sample output

What about df -hs command output?

Sample output

Step4:So what about mounting it permanently?. We can do it by editing fstab file in /etc folder

go to last line and type below line

Save the file and exit. Now run mount -a to update the fstab file state to kernel.

Let me explain what entry in fstab indicates. We are mentioning mount user root data which is located on 10.233.10.212 server on to /mnt/ssh using fuse file system with default settings.

Step5:What about unmounting this drive?

Enjoy new learning of mounting a folder using SSH protocol.

867 total views, 2 views today