View: HTML | Text | PS | PDF | RTF | Wiki | DocBook | DocBook Inline | changelog | about this header Circle Jeff Boweron  
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML v4.5//EN" "/usr/share/xml/docbook/schema/dtd/4.5/docbookx.dtd">
<article lang="en">
  <articleinfo>
    <keywordset>
      <keyword>google</keyword>
      <keyword>2fa</keyword>
      <keyword>two factor authentication</keyword>
      <keyword>ubuntu</keyword>
      <keyword>linux</keyword>
      <keyword>ssh</keyword>
      <keyword>pam</keyword>
    </keywordset>
    <title>Using Google 2FA for SSH Authentication</title>
    <abstract>
      <para>
Google has a two-factor authentication mechanism available for their GMail and select other services.  With a little work, you can use this mechanism to authenticate to your SSH server as well.
</para>
    </abstract>
  </articleinfo>
  <section id="intro">
    <title>What is Two Factor Authentication?</title>
    <para>
Normally to log into your email you need a username and a password.  The problem is you use the same password at your favorite forum, social networking site, or to access your utility bill.  Problem is, one of these sites just had a breach and they have your username/password.  Not only can they access something meaningless, but also your email.  And from there they can get your bank to send a new password.  Oops.
</para>
    <para>
With Two Factor Authentication (2FA) not only do they need your password, but they need something physical.  Traditionally this has been a dedicated dongle with a rotating code on it like an RSA <ulink url="http://www.rsa.com/node.aspx?id=1156">SecurID</ulink>.  Cheaper alternatives like the <ulink url="http://www.yubico.com/yubikey">YubiKey</ulink> are also around, and while this solution is great since it's open source, inexpensive, and nearly indestructible (I have one myself) it also needs a USB port which means using it with a mobile phone or an airport Internet terminal is pretty much impossible.  Along comes Google.
</para>
    <para>
The <ulink url="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html">Google Two Factor Authentication</ulink> solution uses your mobile phone as part of the authentication.  When you try to sign in to your properly configured GMail account on a new computer it asks for your username and password.  Plus it asks for a validation code.  Using the <ulink url="https://market.android.com/details?id=com.google.android.apps.authenticator">Google Authenticator</ulink> app you can complete the login.
</para>
    <para>
Now if someone knows your password they can't access your email.  If someone has your phone they have nothing because you lock your phone, right?  Well, lets say you don't lock your phone (at least you didn't lock your phone, have it stolen once and see if that changes!).  Now they have access to your authenticator app, but without your password they only have limited success.  And as soon as you can get to a PC you can revoke access to your email from your phone.  Perfect?  Not quite but it's a decent start.
</para>
  </section>
  <section id="pam">
    <title>Configuring PAM</title>
    <para>
Linux's Pluggable Authentication Module (PAM) provides a nice, standard way of implementing novel authentication mechanisms like Google's 2FA solution.  Thanks to <ulink url="http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html">MNX Solutions</ulink> this is fairly easy.  First, install Google Authenticator on your phone and enable your GMail account to make sure it's working.
</para>
    <para>
Under Ubuntu you'll need two packages.  Running <command>sudo apt-get install mercurial libpam0g-dev</command> will install them.  Now you can install Google Authenticator for PAM by running the following commands:
</para>
    <programlisting>
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
cd google-authenticator/libpam/
make
sudo make install
</programlisting>
    <para>
Run the command <command>google-authenticator</command> and it will create a secret key for you.  You'll probably want to save the initial output from this command someplace safe, the emergency scratch codes can let you login if you lose your phone.  If you open up the link in the output you'll see a QR code.  Open up the Google Authenticator application on your phone, hit the Menu button, and touch the "Scan account barcode" item to add your computer to your account.
</para>
    <para>
Now you'll want to edit <filename>/etc/pam.d/sshd</filename> and add the following line to the beginning:
</para>
    <programlisting>
auth required pam_google_authenticator.so
</programlisting>
    <para>
Now edit <filename>/etc/ssh/sshd_config</filename> and ensure <varname>ChallengeResponseAuthentication</varname> and <varname>UsePAM</varname> are set to <varname>yes</varname>.  Restarting ssh by running <command>sudo /etc/init.d/ssh restart</command> should get you going.
</para>
    <section id="using-keys">
      <title>Using Key-Based Authentication</title>
      <para>
Key-based authentication trumps pretty much everything else.  If you authenticate using a key you won't be prompted for your 2FA code.  However, if you don't always have your key (or don't want to install it on a portable system/mobile phone) this can let you feel a bit better about allowing password-based authentication as a backup mechanism.
</para>
    </section>
  </section>
  <!-- INCLUDE ../about-me.docbook -->
  <appendix id="about-me">
    <title>About Me</title>
    <para>
My name is Jeff Bower, I'm a <ulink url="http://www.linkedin.com/in/jdbower">technology professional</ulink> with more years of experience in the telecommunications industry than I'd care to admit.  I tend to post with the username jdbower on various forums, including <ulink url="http://komodokamado.com/forum/">Komodo Kamado</ulink>, <ulink url="http://forum.androidcentral.com/">Android Central</ulink>, <ulink url="http://forums.virtualbox.org/">VirtualBox</ulink>, and <ulink url="http://www.makemkv.com/forum2/">MakeMKV</ulink>.  Writing these documents is a hobby of mine, I hope you find them useful and feel free to browse more at <ulink url="https://www.ebower.com/docs">https://www.ebower.com/docs</ulink>.  
</para>
    <para>
I also enjoy cooking, especially outdoors with my <ulink url="http://www.komodokamado.com">Komodo Kamado</ulink> and using my <ulink url="https://www.rocksbarbque.com">Stoker</ulink>.  Take a look at my recipes stored at <ulink url="https://www.ebower.com/recipes">https://www.ebower.com/recipes</ulink>.
</para>
    <para>
If you've got any questions or feedback please feel free to email me at <ulink url="mailto:docs@ebower.com">docs@ebower.com</ulink> or follow me on <ulink url="https://profiles.google.com/100268310848930740059">Google+</ulink> or <ulink url="http://twitter.com/jdbower">Twitter</ulink>.
</para>
  </appendix>

<!-- INCLUDE_END ../about-me.docbook -->
</article>