How does one establish a two-factor authentication mechanism (Google authenticator) for SSH Login )?

Source: Internet
Author: User
Tags ssh server linux mint

By default, SSH has used secure data communication between remote machines. However, if you want to add another security layer for your SSH connection, you can add Google Authenticator) the two-factor authentication module allows you to enter a random one-time password (TOTP) Verification code when connecting to the SSH server. When you connect, you have to enter the verification code from your smartphone or PC.

Google authenticator is an open-source module that implements a one-time pass code (TOTP) Verification token developed by Google. In addition to PAM (Pluggable verification module), it also supports several mobile platforms. These one-time pass codes are generated using open standards developed by OATH (open verification organization.

SSH two-factor verification

In this article, I will show you how to establish and configure SSH in Red Hat, CentOS, Fedora, Ubuntu, Linux Mint, Debian, and other system environments to implement a two-factor authentication mechanism.

Install the Google authenticator Module

Open the machine on which you want to establish a two-factor authentication mechanism, install the following PAM library, and the development library required for the smooth collaboration between the PAM module and the Google authenticator module.

Install the 'pam-devel' installation package on systems such as red hat, CentOS, and Fedora.

# Yum install pam-devel make gcc-c ++ wget

Install the 'libpam0g-dev' installation package on Ubuntu, Linux Mint, and Debian systems.

# Apt-get install libpam0g-dev make gcc-c ++ wget

Download the Google authenticator module and decompress it to the Home Directory (assuming you have logged on to the home Directory of the root directory ).

# Cd/root

# Wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

# Tar-xvf libpam-google-authenticator-1.0-source.tar.bz2

Enter the following command to compile and install the Google authenticator module on the system.

# Cd libpam-google-authenticator-1.0

# Make

# Make install

# Google-authenticator

Once you run the 'Google-authenticator' command, it will prompt you a series of problems. In most cases, enter 'y' (yes) as the answer. If something goes wrong, enter the 'Google-authenticator' command again to reset the settings.

Token Do You Want To verify the token based on the time (y/n )? Y

After this problem occurs, you will get your "key" and "Emergency Verification Code ". Record the details here and use the "key" when installing the Google authenticator application ".

[Root @ tecmint libpam-google-authenticator-1.0] # google-authenticator

Do you want authentication tokens to be time-based (y/n) y

Https://www.google.com/chart? Chs = 200x200 & chld = M | 0 & cht = qr & chlorophyll = otpauth: // totp/root@tecmint.com % 3 Fsecret % 3DXEKITDTYCBA2TLPL

Your new secret key is: XEKITDTYCBA2TLPL

Your verification code is 461618

Your emergency scratch codes are:

65083399

10733609

47588351

71111643

92017550


Next, follow the prompts in the installation wizard. In most cases, enter 'y' (yes) as the answer, as shown below.

Do you want me to update your "/root/. google_authenticator" file (y/n) y

Do you want me to update your "/root/. google_authenticator" file (y/n )? Y

Do you want to disallow multiple uses of the same authentication

Token? This restricts you to one login about every 30 s, but it increases

Your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Do you want to disable multiple use of the same verification token? This limits your logon time to about 30 seconds,

But does this increase the possibility of discovering or even preventing man-in-the-middle attacks (y/n )? Y

By default, tokens are good for 30 seconds and in order to compensate

Possible time-skew between the client and the server, we allow an extra

Token before and after the current time. If you experience problems with poor

Time synchronization, you can increase the window from its default

Size of 1: 30 min to about 4 min. Do you want to do so (y/n) y

By default, tokens are valid for 30 seconds. to compensate for the possible latency between the client and the server,

We allow an additional token before and after the current time. If you encounter problems in time synchronization,

You can increase the window size from 1 minute 30 seconds to about 4 points by default. Do you want to do this (y/n )? Y

If the computer that you are logging into isn' t hardened against brute-force

Login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30 s.

Do you want to enable rate-limiting (y/n) y

If the computer you are logged on to has not been solidified to prevent brute force login attempts, you can verify the module

Enable the number of attempts. By default, attackers attempt to log on only three times every 30 seconds.

Do you want to enable the limit on the number of attempts (y/n )? Y

Configure SSH to use the Google authenticator Module

Open the PAM Configuration File '/etc/pam. d/sshd' and add the following line to the top of the file.

Auth required pam_google_authenticator.so

Next, open the SSH configuration file '/etc/ssh/sshd_config' and scroll down to find the line that displays the following content:

ChallengeResponseAuthentication no

Change it to "yes ". Therefore, it is now like this:

ChallengeResponseAuthentication yes

Finally, restart the SSH service to make new changes take effect.

#/Etc/init. d/sshd restart



Configure Google authenticator Application

Run the Google authenticator application on your smartphone. Press Menu and select "Setup an account ). If you don't have this app, can you download the Google authenticator app (http://support.google.com/accounts/bin/answer.py? Hl = en & answer = 1066447) and install it on your android/iPhone/BlackBerry device.

Google authenticator creates an account

Press "Enter key provided" (Enter the provided key ).

Enter the Google authenticator key

Add your account Name and enter the previously generated key ".

Google authenticator account name and key

It will generate a one-time password (Verification Code) that will change every 30 seconds on your phone.

One-time password for Google authenticator

Now try to log on via SSH and you will find that every time you attempt to log on via SSH, the system will prompt you to enter the Google authenticator code (Verification Code) and password. You only have 30 seconds to enter the verification code. If you miss the time, it will generate a new verification code.

Login as: tecmint

Access denied

Using keyboard-interactive authentication.

Verification code:

Using keyboard-interactive authentication.

Password:

Last login: Tue Apr 23 13:58:29 2013 from 172.16.25.125

[Root @ tecmint ~] #

If you don't have a smartphone, you can also use a Firefox plug-in (https://marketplace.firefox.com/app/gauth-authenticator/) named GAuth Authenticator to implement two-factor verification.

This is important: two-factor authentication and password-based SSH login. If you use any private key/Public Key SSH session, it ignores two-factor authentication and allows you to log on directly.

Address: http://www.tecmint.com/ssh-two-factor-authentication/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.