Linux and PHP web application support and development (Bromsgrove, UK)

Two Factor Authentication for remote SSH users (using google authenticator)

May 27, 2013, palepurple, linux, security, systems administration, , 0

Using Google’s Authenticator, we can change a Debian Linux host to make it require two factor authentication for remote users (or selected users based on name/ip address) as follows.

This is assuming Debian Squeeze.

Installation

  1. wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
  2. tar -xjf libpam-google-authenticator-1.0-source.tar.bz2
  3. cd libpam-google-authenticator ; make && make test ; make install

Configuration

  • Edit /etc/ssh/sshd_config and ensure “ChallengeResponseAuthentication yes” is present. Restart sshd if you’ve changed it’s configuration.
  • Edit /etc/pam.d/sshd and add in the following two lines in after the @include common-auth line:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator-custom.so nullok

(nullok – don’t force google authenticator on users; i.e. skip if there is no ~/.google_authenticator file for the user in question).

  • Create /etc/security/access-local.conf – an example follows :
+ : ALL : 172.30.33.0/24
+ : ALL : LOCAL
- : ALL : ALL

The above, grants access to local connections (the + ones) and denies ALL users from anywhere else. If the pam_access check succeeds (passes) then we skip the next pam check (google authenticator). If the pam_access check fails (matches a – line) then google authenticator is required.

Caveats

If you’re using public key authentication to authenticate, then Google Authenticator will not be used due to how sshd undertakes public key authentication. You can use the ‘command=’ string within your authorized_keys file to work around/fix this, more information can be found here.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Share

Search

Customer Quotes

  • Incredibly knowledgeable, David’s team are efficient, friendly and respond immediately to any external issues. Having managed our four web servers for over two years now I would highly recommend their services to anyone. They have certainly helped us to grow with ongoing advice, 24/7 technical support and disaster recovery when needed. Paul Abrahams
    CrouchendMedia.co.uk

Copyright Pale Purple Ltd 2006 - 2013. Pale Purple is a trading name of Pale Purple Limited, Registered in England and Wales (Registered No. 5580814)