Installing and using the Google Authenticator was pretty easy. I give credit to howtogeek.com for their straight forward instructions on using it. However, I wanted to change some things about their setup. You'll find my instructions to be similar to theirs, but with some important differences. This was done on Ubuntu 14.04.
Install the google auth pam module:
Now, this is where I diverge a little from the howtogeek version. Open up the /etc/pam.d/sshd file on your machine. Put this at the very top of the file:
As a reminder, google authenticator does NOT talk to google. It works based on a common secret key that the server and the phone share. And based on that key, and the time of day, it generates random numbers. So your server can recognize your phone with those random numbers. Please note however, that the secret key is stored in plain text on the server in /home/YourUserName/.google_authenticator. Anyone with root access can read that file, and use that key, so it is still imperative that you keep your ssh private key secure.
Install the google auth pam module:
sudo apt-get install libpam-google-authenticatorLogin as the user you will be using the authenticator with, and run the following command:
google-authenticatorSet up Google Authenticator on your phone using either the QR code it generates, or manually type it in.
Now, this is where I diverge a little from the howtogeek version. Open up the /etc/pam.d/sshd file on your machine. Put this at the very top of the file:
auth sufficient pam_access.so accessfile=/etc/security/access-local.conf auth sufficient pam_google_authenticator.soAnd then comment out the following line in the same file:
#@include common-authNow, open up your /etc/ssh/sshd_config file. Edit or add the following lines to be as follows:
ChallengeResponseAuthentication yes PubkeyAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive:pamLastly, create the file /etc/security/access-local.conf and edit it to your liking. IPs in here will bypass the google authenticator requirement. Mine looks like this:
# only allow from local IP range + : ALL : 192.168.1.2/32 + : ALL : LOCAL - : ALL : ALLRestart ssh, and you should be all set up.
sudo service ssh restartOk. So let's talk through what this does. sshd has now been configured to require two things to allow access. It will require public key auth, and it will ask pam to authorized you as well. Pam will first look at your IP address, and see if it matches anything in the /etc/security/access-local.conf file. If your IP address matches one of the ranges in that file with a + next to it, it will say that you are good, and let you in. If you don't match what's in that file, then it will ask you for your google authenticator code that you will need to get from your app on your phone. This is nice, because it allows you to have an extra layer of security for anyone trying to access your machine from a non-standard location, while from other locations, the authorization process is just an easy public key auth process.
As a reminder, google authenticator does NOT talk to google. It works based on a common secret key that the server and the phone share. And based on that key, and the time of day, it generates random numbers. So your server can recognize your phone with those random numbers. Please note however, that the secret key is stored in plain text on the server in /home/YourUserName/.google_authenticator. Anyone with root access can read that file, and use that key, so it is still imperative that you keep your ssh private key secure.
Comments
Post a Comment