Use Two-step verification for ssh using google-authenticator


The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).

These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

Use Two-step verification for ssh using google-authenticator

Install the prerequisites

# yum install git pam-devel make gcc-c++

Get a local copy of the google-authenticator repository using git and run make and make install

# git clone
# cd google-authenticator/libpam/
# make
# make install

Open /etc/pam.d/sshd file using an editor of choice.

# vi /etc/pam.d/sshd

Now for ssh to use google auth add the following line to the very beginning. Make sure this is the very first line in this file.

auth required

Next open sshd_config file using an editor

# vi /etc/ssh/sshd_config

For ssh to challenge you for the OTP, change ChallengeResponseAuthentication on Line 70 to yes

ChallengeResponseAuthentication yes

Restart ssh daemon

# service sshd restart

You can now run ‘google-authenticator’. This will generate a secret key, and add a file to your home directory. You can run it for any user, I will be running it for root as I login to my servers using root.

# google-authenticator

Sample output from my machine

[root@mail01 google-authenticator]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y×200&chld=M|0&cht=qr&chl=otpauth://totp/

Your new secret key is: JG32SHFEBYISFVEY
Your verification code is 205675
Your emergency scratch codes are:

Do you want me to update your “/root/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Open the link provided in a browser×200&chld=M|0&cht=qr&chl=otpauth://totp/

Install google authenticator app on your blackberry, android or IOS based smartphone and then scan the bar code provided by the link above.

googleauth01 Use Two step verification for ssh using google authenticator

Start generating code and login

googleauthenticator01 168x300 Use Two step verification for ssh using google authenticator

Sample output from my machine

$ ssh
Verification code:
Last login: Mon Mar 11 09:23:22 2013 from
[root@mail01 ~]#