Two Factor Authentication for remote SSH users (using google authenticator)
Using Google’s Authenticator, we can change a Debian Linux host to make it require two factor authentication for remote users (or selected users based on name/ip address) as follows.
This is assuming Debian Squeeze.
- wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
- tar -xjf libpam-google-authenticator-1.0-source.tar.bz2
- cd libpam-google-authenticator ; make && make test ; make install
- Edit /etc/ssh/sshd_config and ensure “ChallengeResponseAuthentication yes” is present. Restart sshd if you’ve changed it’s configuration.
- Edit /etc/pam.d/sshd and add in the following two lines in after the @include common-auth line:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator-custom.so nullok
(nullok – don’t force google authenticator on users; i.e. skip if there is no ~/.google_authenticator file for the user in question).
- Create /etc/security/access-local.conf – an example follows :
+ : ALL : 172.30.33.0/24 + : ALL : LOCAL - : ALL : ALL
The above, grants access to local connections (the + ones) and denies ALL users from anywhere else. If the pam_access check succeeds (passes) then we skip the next pam check (google authenticator). If the pam_access check fails (matches a – line) then google authenticator is required.
If you’re using public key authentication to authenticate, then Google Authenticator will not be used due to how sshd undertakes public key authentication. You can use the ‘command=’ string within your authorized_keys file to work around/fix this, more information can be found here.