Setting up Google Authenticator
For this I am going to be using Ubuntu 14.04 LTS, which makes setting up Google Autheticator really, really simple.
sudo apt-get install libpam-google-authenticator
Insanely difficult, I know. In this case, this only installs the PAM library on the server.
After that, we will instruct PAM to load the plugin by adding the following line to /etc/pam.d/sshd
auth required pam_google_authenticator.so
Finally, we need to tell OpenSSH to use the challenge response authentication, as well as force using multiple factors of authentication.
In /etc/ssh/sshd_config, find the ChallengeResponseAuthentication line to read as below:
ChallengeResponseAuthentication yes
We must also add the following lines:
UsePAM yes
AuthenticationMethods keyboard-interactive:pam,publickey
This will tell OpenSSH to enable PAM authentication, as well as requiring a private key from the person trying to authenticate to the server.
Now, su to the user, and run the google-authenticator command to create a Google Authenticator secret for that user. Note that you can use the same secret across multiple users if you'd like, but that kind of kills the purpose...
Now, restart the SSH service on the server and test the login.
sudo service ssh restart
A successful login should look like below.
Should an attacker somehow compromise both your password and your Google Authenticator, they will still require your public key, as shown below.
So now, in order to authenticate to the server via SSH, you will need your password, the password to the account, the private key, and, if you're feeling extra special, the passphrase to your private key. If you combine this method of authentication with other ways of securing your SSH server, like port-knocking or running fail2ban, you can certainly make SSH authentication much, much more secure than just needing a password to the accout.
Is this overkill? Probably. Is this awesome? Certainly.
No comments:
Post a Comment
Got a question or comment? Leave it here!