

Google account because it’s a nice, efficient way to do multi-factor authentication for the

great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra

secure and use not only TOTP, but password based and RSA key authentication as well. All of the

documentation I could find on doing so with

TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2

introduced the Authentication Methods argument. I use Google Authenticator on all of myGoogle account because it’s a nice, efficient way to do multi-factor authentication for thegreat price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extrasecure and use not only TOTP, but password based and RSA key authentication as well. All of thedocumentation I could find on doing so with OpenSSH was only on doing Google Authenticator’sTOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2introduced the Authentication Methods argument.

P { margin-bottom: 0.08in; }

Setting up Google Authenticator



14.04 LTS, which makes setting up Google Authenticator really, really simple.

For this I am going to be using Ubuntu 14.04 LTS, which makes setting up Google Authenticator really, really simple. P { margin-bottom: 0.08in; }







sudo apt-get install

libpam-google-authenticator



P { margin-bottom: 0.08in; } Insanely difficult, I know. In this

case, this only installs the PAM library on the server.











After that, we will instruct PAM to

load the plugin by adding the following line to









/etc/pam.d/sshd

P { margin-bottom: 0.08in; }

auth required

pam_google_authenticator.so









Finally, we need to tell OpenSSH to use

the challenge response authentication, as well as force using multiple factors of

authentication.





In /etc/ssh/sshd_config, find the

ChallengeResponseAuthentication line to read as below:









ChallengeResponseAuthentication yes



P { margin-bottom: 0.08in; } We must also add the following lines:













UsePAM yes



keyboard-interactive:pam,publickey AuthenticationMethodskeyboard-interactive:pam,publickey

P { margin-bottom: 0.08in; } This will tell OpenSSH to enable PAM

authentication, as well as requiring a private key from the person trying to authenticate to the

server.













Now, su to the user, and run the

google-authenticator command to create a Google Authenticator secret for that user.

Note that you can use the same secret across multiple users if you’d like, but that kind of kills the

purpose…







Now, restart the SSH service on the

server and test the login.

P { margin-bottom: 0.08in; }

sudo service ssh restart









A successful login should look like

below.



P { margin-bottom: 0.08in; }



both your password and your Google Authenticator, they will still require your public

key, as shown below. Should an attacker somehow compromiseboth your password and your Google Authenticator, they will still require your publickey, as shown below.

P { margin-bottom: 0.08in; }



server via SSH, you will need your password, the password to the account, the private

key, and, if you’re feeling extra special, the passphrase to your private key. If you combine this

method of authentication with other ways of securing your

running fail2ban, you can certainly make SSH authentication much, much more secure than just

needing a password to the account.

So now, in order to authenticate to theserver via SSH, you will need your password, the password to the account, the privatekey, and, if you’re feeling extra special, the passphrase to your private key. If you combine thismethod of authentication with other ways of securing your SSH server, like port-knocking orrunning fail2ban, you can certainly make SSH authentication much, much more secure than justneeding a password to the account.









