Configure SSH for 2-factor authentication

In the past few days I’ve got the idea to make my server more secure I will deploy 2-factor authentication for SSH sessions.
There are lot of solutions for it, but as there are not lots of users on this server, and I wanted a fast, secure way to achieve this I started to use google authenticator.
It has application for android,iphone,blackberry, so I won’t face angry users who doesn’t have android for example :).

You can get information about this google project at : http://www.google.com/landing/2step/features.html .

I’m using CentOS in my environment, and unfortunately there is no package in the official repositories, so I’m going to build the binaries from source.

For this you must have a build environment on a machine (it’s your choice if you want to install this on your server, or not and build the binaries on another system).
So first, install the Development Tools group on the machine where you will start the build (as this will be a pam module pam-devel package will be also needed):

yum groupinstall ‘Development Tools’
yum install pam-devel

after it’s finished, you will have everything to build the binaries which will be used later. So it’s time to get the source code.
The project is currently on github : https://github.com/google/google-authenticator – here you will see some examples, and you can grab the source code.
You can get the the source code using git:

git clone https://github.com/google/google-authenticator

You will see that the git repository is in your folder’s subfolder called google-authenticator, go into it, then the subfolder libpam.
Enter the command ‘make’.

After short time the binaries will be ready, it’s time to install the binaries:

make install

cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin

So we have a shared object and a binary, let’s find out what we have to do.

Of course if your build environment is on different system, simply copy the two files into your server.

As I’ve mentioned earlier this is a pam module, so we have to configure PAM to use this.

All of the PAM (Pluggable Authentication Module) files are in /etc/pam.d folder. As we currently want to use this only for SSHd we need to edit the file sshd.

As I’ve mentioned earlier I wanted to make 2-factor authentication, so I will require both the password (or private key), and the token which is generated with google authenticator.
For this I need only to add one line to the top:

auth required pam_google_authenticator.so

After I set up this, users without authenticator won’t be able to login. So if you want to give them a little time until you enforce this you can go with nullok parameter:

auth required pam_google_authenticator.so nullok

Also you will need to configure sshd, the following lines will be needed:

ChallengeResponseAuthentication yes

So now we need to setup google authenticator on our account, and on our phone. You can easily find the app ‘google Authenticator’ in play store.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en

Now it’s time to configure our account to accept the token from our phone. As you’ve seen there is a binary called google-authenticator, let’s begin with it:
Issue the command

google-authenticator

Do you want authentication tokens to be time-based (y/n) y

then you will see a QR code, as well your new secret key, a verficiaton code, and emergency code. Keep them safe :).

Do you want me to update your “/home/user/.google_authenticator” file (y/n) y

Now 3 simple questions, as I’m using multiple sessions usually, ntp client on the servers, and I’ve already hardened (and hardening) my system against brute-force, I had to answer 3n to the questions:

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) n

now it’s time to configure your phone’s app. You can use your terminal and your camera, or the link which is provided by google-authenticator binary before the QR code.

Open authenticator on your phone, poke on ‘Begin setup’, now scan the barcode from the terminal and here we go.

Now it will ask you at the next login for your verification code, and for your password.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s