View: HTML | Text | PS | PDF | RTF | Wiki | DocBook | DocBook Inline | changelog | about this header Circle Jeff Boweron  
Using Google 2FA for SSH Authentication

Using Google 2FA for SSH Authentication

Google has a two-factor authentication mechanism available for their GMail and select other services. With a little work, you can use this mechanism to authenticate to your SSH server as well.


Table of Contents
1. What is Two Factor Authentication?
2. Configuring PAM
2.1. Using Key-Based Authentication
A. About Me

1. What is Two Factor Authentication?

Normally to log into your email you need a username and a password. The problem is you use the same password at your favorite forum, social networking site, or to access your utility bill. Problem is, one of these sites just had a breach and they have your username/password. Not only can they access something meaningless, but also your email. And from there they can get your bank to send a new password. Oops.

With Two Factor Authentication (2FA) not only do they need your password, but they need something physical. Traditionally this has been a dedicated dongle with a rotating code on it like an RSA SecurID. Cheaper alternatives like the YubiKey are also around, and while this solution is great since it's open source, inexpensive, and nearly indestructible (I have one myself) it also needs a USB port which means using it with a mobile phone or an airport Internet terminal is pretty much impossible. Along comes Google.

The Google Two Factor Authentication solution uses your mobile phone as part of the authentication. When you try to sign in to your properly configured GMail account on a new computer it asks for your username and password. Plus it asks for a validation code. Using the Google Authenticator app you can complete the login.

Now if someone knows your password they can't access your email. If someone has your phone they have nothing because you lock your phone, right? Well, lets say you don't lock your phone (at least you didn't lock your phone, have it stolen once and see if that changes!). Now they have access to your authenticator app, but without your password they only have limited success. And as soon as you can get to a PC you can revoke access to your email from your phone. Perfect? Not quite but it's a decent start.


2. Configuring PAM

Linux's Pluggable Authentication Module (PAM) provides a nice, standard way of implementing novel authentication mechanisms like Google's 2FA solution. Thanks to MNX Solutions this is fairly easy. First, install Google Authenticator on your phone and enable your GMail account to make sure it's working.

Under Ubuntu you'll need two packages. Running sudo apt-get install mercurial libpam0g-dev will install them. Now you can install Google Authenticator for PAM by running the following commands:


hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
cd google-authenticator/libpam/
make
sudo make install

Run the command google-authenticator and it will create a secret key for you. You'll probably want to save the initial output from this command someplace safe, the emergency scratch codes can let you login if you lose your phone. If you open up the link in the output you'll see a QR code. Open up the Google Authenticator application on your phone, hit the Menu button, and touch the "Scan account barcode" item to add your computer to your account.

Now you'll want to edit /etc/pam.d/sshd and add the following line to the beginning:


auth required pam_google_authenticator.so

Now edit /etc/ssh/sshd_config and ensure ChallengeResponseAuthentication and UsePAM are set to yes. Restarting ssh by running sudo /etc/init.d/ssh restart should get you going.


2.1. Using Key-Based Authentication

Key-based authentication trumps pretty much everything else. If you authenticate using a key you won't be prompted for your 2FA code. However, if you don't always have your key (or don't want to install it on a portable system/mobile phone) this can let you feel a bit better about allowing password-based authentication as a backup mechanism.


A. About Me

My name is Jeff Bower, I'm a technology professional with more years of experience in the telecommunications industry than I'd care to admit. I tend to post with the username jdbower on various forums. Writing these documents is a hobby of mine, I hope you find them useful and feel free to browse more at https://www.ebower.com/docs.

If you've got any questions or feedback please feel free to email me at docs@ebower.com or follow me on Google+ or Twitter.