The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
Use Two-step verification for ssh using google-authenticator
Install the prerequisites
# yum install git pam-devel make gcc-c++
Get a local copy of the google-authenticator repository using git and run make and make install
# git clone https://code.google.com/p/google-authenticator/
# cd google-authenticator/libpam/
# make install
Open /etc/pam.d/sshd file using an editor of choice.
# vi /etc/pam.d/sshd
Now for ssh to use google auth add the following line to the very beginning. Make sure this is the very first line in this file.
auth required pam_google_authenticator.so
Next open sshd_config file using an editor
# vi /etc/ssh/sshd_config
For ssh to challenge you for the OTP, change ChallengeResponseAuthentication on Line 70 to yes
Restart ssh daemon
# service sshd restart
You can now run ‘google-authenticator’. This will generate a secret key, and add a file to your home directory. You can run it for any user, I will be running it for root as I login to my servers using root.
Sample output from my machine
[root@mail01 google-authenticator]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: JG32SHFEBYISFVEY
Your verification code is 205675
Your emergency scratch codes are:
Do you want me to update your “/root/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Open the link provided in a browser
Install google authenticator app on your blackberry, android or IOS based smartphone and then scan the bar code provided by the link above.
Start generating code and login
Sample output from my machine
$ ssh email@example.com
Last login: Mon Mar 11 09:23:22 2013 from 192.168.209.1