Skip to main content

Remote two-factor authentication, with ssh public keys, and google authenticator

Installing and using the Google Authenticator was pretty easy. I give credit to for their straight forward instructions on using it. However, I wanted to change some things about their setup. You'll find my instructions to be similar to theirs, but with some important differences. This was done on Ubuntu 14.04.

Install the google auth pam module:
sudo apt-get install libpam-google-authenticator
Login as the user you will be using the authenticator with, and run the following command:
Set up Google Authenticator on your phone using either the QR code it generates, or manually type it in.

Now, this is where I diverge a little from the howtogeek version. Open up the /etc/pam.d/sshd file on your machine. Put this at the very top of the file:
auth sufficient accessfile=/etc/security/access-local.conf
auth sufficient
And then comment out the following line in the same file:
#@include common-auth
 Now, open up your /etc/ssh/sshd_config file. Edit or add the following lines to be as follows:
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive:pam
Lastly, create the file /etc/security/access-local.conf and edit it to your liking. IPs in here will bypass the google authenticator requirement. Mine looks like this:
# only allow from local IP range
+ : ALL :
- : ALL : ALL
Restart ssh, and you should be all set up.
sudo service ssh restart
Ok. So let's talk through what this does. sshd has now been configured to require two things to allow access. It will require public key auth, and it will ask pam to authorized you as well. Pam will first look at your IP address, and see if it matches anything in the /etc/security/access-local.conf file. If your IP address matches one of the ranges in that file with a + next to it, it will say that you are good, and let you in. If you don't match what's in that file, then it will ask you for your google authenticator code that you will need to get from your app on your phone. This is nice, because it allows you to have an extra layer of security for anyone trying to access your machine from a non-standard location, while from other locations, the authorization process is just an easy public key auth process.

As a reminder, google authenticator does NOT talk to google. It works based on a common secret key that the server and the phone share. And based on that key, and the time of day, it generates random numbers. So your server can recognize your phone with those random numbers. Please note however, that the secret key is stored in plain text on the server in /home/YourUserName/.google_authenticator. Anyone with root access can read that file, and use that key, so it is still imperative that you keep your ssh private key secure. 


Popular posts from this blog

An Open Letter to My Friends in Sales and Biz Dev

To my Friends in Sales:
I get a lot of sales calls, and I don't mind it, but it means that I've got to keep them quick or they quickly take up too much time. So I created this list of tips for you so we can make the best of your time and mine: I will ask questions on the introductory call about features and prices. Please be ready to answer those. I want that information so I can decide if it would be worth your and my time for a demo. If you don't have the information or can't give it to me, then that's probably as far as the call will go.I appreciate that you are trying to be friendly by talking sports and weather etc., but I'd rather get to the point. Keep it on topic please.Please don't use leading questions like: "If you could succeed in this difficulty, how would that help you?" and such. I know my own situation just fine, what I don't know is your product. So let's keep the conversation on that please.If I decide to get your product,…

Which rpm did this file come from?

Need to know what rpm a certain file came from? Sometimes I want a certain program on one machine that I have on another, and my rpm searches come up blank. This happened with a program that I needed called lockfile, that I couldn't figure out how to install. It ended up being in the procmail-3.22-203.1 rpm.

The command I used was this:
rpm -qf /usr/bin/lockfile I found that tip here:

Strengthening the Weakest Link

Employees are frequently cited as being the weakest link in security. Rather than argue this point, I'm just going to reference a few articles here and move on (Fortune, Fraud-magazine, Forbes). Now, in general, employees are considered the weakest link because they don't always make smart decisions.

For example, in one company I was at, a phishing email was sent out to many of the employees. The email was from "Emily", the subject was "New Pics" and the body was simply "Check out my latest pics" with a link. I was amazed at how many people clicked on that link and consequently installed a virus. A similar attack came a few months later, but spread over chat instead. I felt that we needed to train our employees better.

I should note here that there is a good argument for security software that is idiot proof, that prevents employees from hurting their networks or losing information. I entirely believe in using such software, but hackers are very s…