Thursday, March 12, 2015

Google Two-Factor Authentication on Linux Server

The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification token developed by Google. It supports several mobile platforms, as well as PAM (Pluggable Authentication Module). These one-time passcodes are generated using open standards created by the OATH (Initiative for Open Authentication).

Install the needed packages
yum install pam-devel make gcc-c++ wget bzip*

cd /root
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

cd libpam-google-authenticator-1.0
make install

Do you want authentication tokens to be time-based (y/n) y

Your new secret key is: FGHLERMHLCISCSU6
Your verification code is 485035
Your emergency scratch codes are:

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Configuring SSH to use Google Authenticator Module
Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the top of the file.

auth       required
Next, open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll for fine the line that says.

ChallengeResponseAuthentication no
Change it to “yes“. So, it becomes like this.

ChallengeResponseAuthentication yes
Finally, restart SSH service to take new changes.

# systemctl restart sshd

Install the Google Authentication Application on the you mobile app or make use of the firefox addoon GAuth Authenticator .Below we show how the Gauth Application is used in Android Phones.

Once we enter the secret key in above setting we will get the verfificatuion code as below, which will be changing in very so and so period.

Login to the Server using Google Authentication
[root@localhost ~]# ssh
Password: <<User Password
Verification code: <<The Code which we get from the Phone
Last failed login: Fri Mar 13 04:49:59 UTC 2015 from on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Fri Mar 13 04:48:35 2015 from
[root@server ~]#

Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly.

No comments:

Post a Comment