Google Authenticator PAM module (2 step authentication for SSH)

Major service providers like Gmail, Dropbox, GitHub, Amazon Web Services encourage their users to use 2 step authentication as it is one of the safest way to protect users login. I’m using this password add-on feature to SSH to my gateway server from WAN so that I could access other hosts in that network and I think that it’s by far the most safest solution.

Packages

First of all, you’ll need these packages to be installed on the Linux machine:

  • autoconf
  • automake
  • make
  • gcc
  • wget
  • unzip
  • libtool
  • pam-devel (for CentOS / RHEL)
  • libpam0g-dev (for Debian)

yum install pam-devel gcc make autoconf automake wget unzip libtool or
apt-get install libpam0g-dev gcc make autoconf automake wget unzip libtool if you’re on Debian.

Then, download google-authenticator from it’s Github page via git clone or wget command. An example with wget:

wget https://github.com/google/google-authenticator/archive/master.zip
unzip master.zip

Compile the code

After the files are on the filesystem, we have to compile google-authenticator:

cd google-authenticator-master/libpam/
./bootstrap.sh
./configure
make
make install

After make install successful output will look like this:

# make install
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin

Set-up google-authenticator

Now we need to configure google-authenticator, just run it and answer the questions with y/n with your preferences. I’ve answered all to yes:

# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: RSXXXXXXXXXXXXXX
Your verification code is 010101
Your emergency scratch codes are:
  XXXXXXXXX
  XXXXXXXXX
  XXXXXXXXX
  XXXXXXXXX
  XXXXXXXXX

Do you want me to update your „/root/.google_authenticator”     file (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

Mobile app configuration

Open up your Google Authenticator application (doesn't matter if you're on Android or iOS), hit the advanced button (3 dots in upper right corner) and select setup account.

Now you can choose to Scan a barcode or Enter key provided and just enter provided Secret key earlier.

System configuration

Now we need that the system would use google-authenticator during SSH login.

We’ll need to edit /etc/pam.d/sshd and /etc/ssh/sshd_config files.

In /etc/pam.d/sshd add the following line:

auth required pam_google_authenticator.so

In /etc/ssh/sshd_config file change

ChallengeResponseAuthentication no

To

ChallengeResponseAuthentication yes

Restart ssh daemon systemctl restart sshd or /etc/init.d/ssh restart if you’re on Debian.