Thursday, March 12, 2015

Google Two-Factor Authentication on Linux Server



The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification token developed by Google. It supports several mobile platforms, as well as PAM (Pluggable Authentication Module). These one-time passcodes are generated using open standards created by the OATH (Initiative for Open Authentication).

Install the needed packages
yum install pam-devel make gcc-c++ wget bzip*

cd /root
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

cd libpam-google-authenticator-1.0
make
make install
google-authenticator

Do you want authentication tokens to be time-based (y/n) y

Your new secret key is: FGHLERMHLCISCSU6
Your verification code is 485035
Your emergency scratch codes are:
  90385136
  97173523
  18612791
  73040662
  45704109

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y



Configuring SSH to use Google Authenticator Module
Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the top of the file.

auth       required     pam_google_authenticator.so
Next, open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll for fine the line that says.

ChallengeResponseAuthentication no
Change it to “yes“. So, it becomes like this.

ChallengeResponseAuthentication yes
Finally, restart SSH service to take new changes.

# systemctl restart sshd

Install the Google Authentication Application on the you mobile app or make use of the firefox addoon GAuth Authenticator .Below we show how the Gauth Application is used in Android Phones.



Once we enter the secret key in above setting we will get the verfificatuion code as below, which will be changing in very so and so period.


Login to the Server using Google Authentication
[root@localhost ~]# ssh root@xxx.xxx.xxx.xxx
Password: <<User Password
Verification code: <<The Code which we get from the Phone
Last failed login: Fri Mar 13 04:49:59 UTC 2015 from xxx.xxx.xxx.xxx on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Fri Mar 13 04:48:35 2015 from xxx.xxx.xxx.xxx
[root@server ~]#

Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly.

No comments:

Post a Comment