SSH Two Factor Authentication

Below is a tutorial on how to install Google Authenticator.. Rather than receiving a call or a text message you are able to use the two step authentication via an app on your mobile phone.

First off, Install the package.

sudo apt-get install libpam-google-authenticator

This just installs the PAM module, it does not set it up.

Next we need to create a key.

google-authenticator

After you run this command you will be presented with a QR code, Emergency Scratch codes(Make a note of these) and the below questions, to which you answer yes.

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Install on phone

Now you must install the Google Authenticator application on your phone.

Official apps have been released on iPhone, Android and Blackberry.

After you down load this, scan the QR code that you were given in your terminal.

This will set up the account

Turn on Google authenticator.

For Google Authenticator to work you need to tell your server to require it with SSH logins.

vim /etc/pam.d/sshd

Add the below line, to the bottom of the file

 auth required pam_google_authenticator.so

Now edit the ssh config file

vim /etc/ssh/sshd_config

Find the line that says “ChallengeResponseAuthentication” and make sure it says

ChallengeResponseAuthentication yes

If it does not exist then add the line in.

Restart SSH and you’re good to go!

sudo /etc/init.d/ssh restart

If you get any permission denied errors on any of the above commands try adding sudo to the beginning.

Also please note that if you are accessing the server using ssh key authentication then you will not be prompted for the Google Passcode.