Page 1 of 1

Two Factor SSH Authentication.

PostPosted: Thu Aug 01, 2013 11:15 am
by tanmay.01
Now that OpenSSH 6.2 has now been released with full and proper support, the next release of Ubuntu (Saucy Salamander) will include it.


All you have to do is:

Code: Select all
apt-get install libpam-google-authenticator.


Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).

Edit
/etc/ssh/sshd_config
. Set:

ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive


In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):

UsePAM yes
PubkeyAuthentication yes


Run
Code: Select all
sudo service ssh reload
to pick up your changes to
/etc/ssh/sshd_config.


Edit
/etc/pam.d/sshd
and replace the line:

@include common-auth


with:

auth required pam_google_authenticator.so


That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.

Your existing ssh session should not be affected by these changes. So before you continue, make sure that you can still access the machine by authenticating with your new two factor system in another session. If you're using shared connections (or aren't sure), be sure to use the -Snone option to ssh in order to make sure that you don't accidentally skip authentication by re-using an existing connection.


How it Works : Just like google's two factor authentication.

Re: Two Factor SSH Authentication.

PostPosted: Thu Aug 01, 2013 6:28 pm
by ryanvade
Is there a version for 13.04? Or can I just build from source?

Re: Two Factor SSH Authentication.

PostPosted: Thu Aug 01, 2013 10:50 pm
by tanmay.01
You will have to build it if there is no ppa.

Sent from my Nexus 4

Re: Two Factor SSH Authentication.

PostPosted: Thu Oct 09, 2014 8:28 am
by araina
As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.