Linux and PHP web application support and development (Bromsgrove, UK)

tel: 0845 0046746

Two Factor Authentication for remote SSH users (using google authenticator)

Using Google’s Authenticator, we can change a Debian Linux host to make it require two factor authentication for remote users (or selected users based on name/ip address) as follows.

This is assuming Debian Squeeze.

Installation

  1. wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
  2. tar -xjf libpam-google-authenticator-1.0-source.tar.bz2
  3. cd libpam-google-authenticator ; make && make test ; make install

Configuration

  • Edit /etc/ssh/sshd_config and ensure “ChallengeResponseAuthentication yes” is present. Restart sshd if you’ve changed it’s configuration.
  • Edit /etc/pam.d/sshd and add in the following two lines in after the @include common-auth line:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator-custom.so nullok

(nullok – don’t force google authenticator on users; i.e. skip if there is no ~/.google_authenticator file for the user in question).

  • Create /etc/security/access-local.conf – an example follows :
+ : ALL : 172.30.33.0/24
+ : ALL : LOCAL
- : ALL : ALL

The above, grants access to local connections (the + ones) and denies ALL users from anywhere else. If the pam_access check succeeds (passes) then we skip the next pam check (google authenticator). If the pam_access check fails (matches a – line) then google authenticator is required.

Caveats

If you’re using public key authentication to authenticate, then Google Authenticator will not be used due to how sshd undertakes public key authentication. You can use the ‘command=’ string within your authorized_keys file to work around/fix this, more information can be found here.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *