Ubuntu Two-Factor Login (public key + Google Authenticator)

The Google authenticator app adds an easy to use true two factor login (rather than just an extra password, I’m looking at you online banking). It is time limited and each code is valid one for 30 seconds, however this can be changed.

There are other guides out there which describe the setup but these follow the assumption that you will be using passwords to login rather than public keys.

This method is tested for Ubuntu 14.04.1 but will likely work for any distro that has a recent release of openssh (v6.6+). The following commands assume you are logged in as root, if not prefix with sudo.

First step is to install the authenticator.

aptitude install libpam-google-authenticator

Next, setup the authenticator for your login or root.

$ /usr/bin/google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/...

[QR CODE]

Your new secret key is: D3WF27FKWZA5TAO3 (not real :P)
Your verification code is 123456
Your emergency scratch codes are:
 12345678
 12345678
 12345678
 12345678
 12345678

Do you want me to update your "/home/sam/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isnt hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

You’ll need to either scan the provided QR code via the authenticator app or follow the provided url.

Now you are enrolled in two-step authentication, congrats.

Next is to update PAM to accept Google Authenticator tokens. Update /etc/pam.d/sshd to include the follow at the top of the file (above @include common-auth).

#Google Authenticator
auth sufficient pam_google_authenticator.so

Sufficient is used rather than required here because required would prompt for the password after the code is entered which is not what we want as public keys are being used.

The final step is to setup the ssh server to accept public keys and allow keyboard interaction. Open /etc/ssh/sshd_config and make the following changes. But take a backup first.

# Add this if not present
PubkeyAuthentication yes
# This allows sshd to ask for the verification code 
# after the public key is accepted
AuthenticationMethods publickey,keyboard-interactive

# Change the following to yes, it is no by default
ChallengeResponseAuthentication yes
# Also disable password logins
PasswordAuthentication no
# This should be present, but add if not present
UsePAM yes

Now restart the ssh server.

service ssh restart

 Important: Don’t close your current session until you know the login is working correctly, as you may get locked out.

Time to test, open a new ssh connection to your box, you should now be greeted like this:

Using username "root".
Authenticating with public key "my-public-key" from agent
Further authentication required
Using keyboard-interactive authentication.
Verification code:

If this fails, you can restore the backup you made of the sshd config (you did make one?), remove the authenticator from the pam config. and restart ssh.

Google Authenticator Project: https://code.google.com/p/google-authenticator/
Authenticator App: Play Store | Apple App Store | Windows Phone

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *