SSH 2 Factor Authentication With Google Authenticator In Ubuntu 12.04

Overview

I love 2 factor authentication and believe it’s one of the best way forward to securing access. 2 Factor authentication combines something you know such as a password with something you have like fingerprint. In this case SSh will still request a password but the something you have part will be the numeric code provide by Google’s Authenticator application which changes every minute. Google Authenticator is similar to the popular RSA tokens.

Install

The PAM module for Google authenticator is already in the Ubuntu repository. To install this module run the following command sudo apt-get install libpam-google-authenticator

Confirguration

Next part is to configure the 2 factor authentication. This is done on a per user basis and therefore all the commands from here on out will be done as the user who will be using the 2 factor authentication.

Start the setup process by entering google-authenticator

A series of questions will follow which explain very clearly on what they are and what they mean. Generally answering ‘y’ to all of them will suffice.

Activate Google Authenticator

Edit /etc/pam.d/sshd and add the following to the file auth required pam_google_authenticator.so Save and exit the file

Next edit /etc/ssh/sshd_config and find ChallengeResponseAuthentication and change it to yes if necessary. If the line does not exist then add it to the file.

Restart SSH service. This may disconnect a remote session sudo service ssh restart

If it was successful the next login will ask for a verification code.

Regenerating Code

To create a new code and run the google-authenticator command again as the same user. If the code is lost, the only way to gain access is to login as a different user and su (switch user) and run the setup again.

Remove / Disable 2 Factor Authentication

Undo the changes in the section to Activate Google Authenticator and restart SSh service.

Summary

This is a very simple and easy to use setup and provides additional layer of security.

How to Secure SSH with Google Authenticator’s Two-Factor Authentication

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Linux, Security and tagged , , , , , , , . Bookmark the permalink.

2 Responses to SSH 2 Factor Authentication With Google Authenticator In Ubuntu 12.04

  1. Bryan says:

    I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won’t get hacked and your personal information isn’t up for grabs. I’m hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.

Leave a Reply