Linux and PHP web application support and development (Bromsgrove, UK)

Two Factor Authentication for remote SSH users (using google authenticator)

May 27, 2013, palepurple, linux, security, systems administration, , 0

Using Google’s Authenticator, we can change a Debian Linux host to make it require two factor authentication for remote users (or selected users based on name/ip address) as follows.

This is assuming Debian Squeeze.

Installation

  1. wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
  2. tar -xjf libpam-google-authenticator-1.0-source.tar.bz2
  3. cd libpam-google-authenticator ; make && make test ; make install

Configuration

  • Edit /etc/ssh/sshd_config and ensure “ChallengeResponseAuthentication yes” is present. Restart sshd if you’ve changed it’s configuration.
  • Edit /etc/pam.d/sshd and add in the following two lines in after the @include common-auth line:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator-custom.so nullok

(nullok – don’t force google authenticator on users; i.e. skip if there is no ~/.google_authenticator file for the user in question).

  • Create /etc/security/access-local.conf – an example follows :
+ : ALL : 172.30.33.0/24
+ : ALL : LOCAL
- : ALL : ALL

The above, grants access to local connections (the + ones) and denies ALL users from anywhere else. If the pam_access check succeeds (passes) then we skip the next pam check (google authenticator). If the pam_access check fails (matches a – line) then google authenticator is required.

Caveats

If you’re using public key authentication to authenticate, then Google Authenticator will not be used due to how sshd undertakes public key authentication. You can use the ‘command=’ string within your authorized_keys file to work around/fix this, more information can be found here.

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Share

Search

Customer Quotes

  • Pale Purple have always been committed to understanding what we need as a customer, and delivering solutions in a timely and cost effective manner. They offer fast, dedicated and expert support. They have had no problems in adapting solutions to our ever changing IT needs. Matthew Urch
    Bollingroup.com

Copyright Pale Purple Ltd 2006 - 2013. Pale Purple is a trading name of Pale Purple Limited, Registered in England and Wales (Registered No. 5580814)