This is a guest diary written by Jeff Singleton. If you are interested in contributing a guest diary, please ask via our contact form --------------- We can already use two-step authentication in GMail with the Google Authenticator Android app. The idea is creating a secret key shared between the service and the Android app, so every 30 seconds we get a randomly generated token on Android that must be provided to login in addition to the password. That token is only valid in that 30s time frame. Since this provides a nice second security layer to our logins, why don't take advantage of it also in our Linux box? We'll need two things to get started: Install Google Authenticator on our Android, iOS or Blackberry phone. Install the PAM on our Linux box The first step is frivolous, so we will just move on to the second one. To setup two-factor authentication for your Linux server you will need to download and compile the PAM module for your system. The examples here will be based on CentOS 6, but it should be easy enough to figure out the equivalents for whatever distribution you happen to be using. Here is a link with similar steps for Ubuntu/Debian or any OS using Aptitude.
Once the PAM module and the command-line google-authenticator application are installed, you need to edit the /etc/pam.d/sshd file to add the below code to the very top of the file. auth required pam_sepermit.so auth required pam_google_authenticator.so auth include password-auth Additionally, you may wish to add the two-step authentication to your display manager (kdm, gdm, or lightdm). Depending on your distro you might be using a different login manager. Pick and edit the correct file among these: · /etc/pam.d/gdm · /etc/pam.d/lightdm · /etc/pam.d/kdm Add this line at the bottom: auth required pam_google_authenticator.so Once we have that installed we will run this command with the user we want to use two-step authentication with. If we want to use it for several users we will have to run it once with each of them, since it generates a unique secret key each time:
Once you see the above text in your terminal window, the very next thing you will do is launch your web browser and point it to the URL shows towards the top of the text above.
You should now see is a big QR code. Open your Google Authenticator app on your phone of choice and hit the menu button then select "Scan barcode". Point the camera to the QR code on the screen and you'll get a new item on the Google Authenticator main screen with an ID for the user and computer and the generated token below, along with a counter showing how much time is left for the code to expire. TIP: time is very important, so your Linux server should have an NTP client installed in order to keep the time accurate. You should definitely keep an eye on this, and if you have any trouble you may have to open the window size as noted by google-authenticator. TIP: You will also need to edit /etc/ssh/sshd_config to enable "ChallengeResponseAuthentication" and "UsePAM" (set them both to "yes"). Finally, you will restart sshd to commit the changes you just made. When this is done, try logging into the system via SSH:
You must provide the verification code as presented by your phone in order to log in. Even if the password is known, without the verification code, the login will fail. Important: you will not be able to use this method if you use ssh private/public keys as the two are mutually exclusive.
The two step authentication will keep users out of you box as long as they don't also have access to your phone, but you shouldn't forget that there's no way to really secure a box if the attacker has physical access to it. |
Alex Stanford 136 Posts Aug 1st 2013 |
|||
Thread locked Subscribe |
Aug 1st 2013 8 years ago |
|||
I wrote a CLI client for Google Authenticator: https://github.com/ClockworkNet/gacli
|
Anonymous |
|||
Quote |
Aug 1st 2013 8 years ago |
|||
"Important: you will not be able to use this method if you use ssh private/public keys as the two are mutually exclusive."
Not with SSH auth. But you could use Allow/Deny statements in the SSH configuration to create a dedicated user for SSH'ing in with public key. That is; create a user with a restricted shell that you SSH in as, so the only allowed command is 'SU' to certain users. Then with SSHD configured to only allow public key auth; you require (1) Public key or Certificated based authentication to SSH; after logged in (2) a SU password, and (3) the google authenticator verification code. Which is basically 3-factor authentication, since.... (1) Public Key -- Some location that you are located at (You're logged into a workstation that has the private key corresponding to the SSH public key certificate installed; preferably in a non-exportable certificate keystore, so the SSH key cannot easily be stolen). |
Mysid 146 Posts |
|||
Quote |
Aug 1st 2013 8 years ago |
|||
Quoting Mysid:"Important: you will not be able to use this method if you use ssh private/public keys as the two are mutually exclusive." |
Mysid 1 Posts |
|||
Quote |
Aug 2nd 2013 8 years ago |
|||
I understand that adding the extra factor of a 1-time-pass from your phone would add security, but of all the internet connected devices that people use, the phone is probably the one that is most frequently lost or stolen. I have not seen the ap that provides these 1-time pass tokens, but I hope that it also requires some kind of password or pass-phrase. Also, given Google's recent reputation for handing over private information, I worry about Google being the source for this.
|
Moriah 133 Posts |
|||
Quote |
Aug 2nd 2013 8 years ago |
|||
The idea of two factor authentication is that neither factor provides access to the device. If the phone is stolen, you still need the password (in addition to the phone). Two factor authentication should not be seen as an excuse to use weak passwords.
The Google authenticator on the iPhone does not require a password. It does just rely on the screen lock password. Of course, these tokens are vulnerable to hacked devices as well, which is why for high security access, hard-tokens should be used. |
Johannes 4510 Posts ISC Handler |
|||
Quote |
Aug 2nd 2013 8 years ago |
|||
I have a question and doubt here : So, I did this on CentOS and do I need to save that barcode somewhere ? I mean the link.
Because when I try to login, its asks me verification code, which code should I provide here ? |
Johannes 1 Posts |
|||
Quote |
Sep 17th 2013 8 years ago |
|||
I understand that adding the extra factor of a 1-time-pass from your phone would add security, but of all the internet connected devices that people use, the phone is probably the one that is most frequently lost or stolen. I have not seen the ap that provides these 1-time pass tokens, but I hope that it also requires some kind of password or pass-phrase. Also, given Google's recent reputation for handing over private information, I worry about Google being the source for this
<a href="http://www.bexinhshop.vn" title="mua s?m qu?n áo tr? em">mua s?m qu?n áo tr? em</a> |
Johannes 1 Posts |
|||
Quote |
May 26th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!