Google Two-Factor Authentication provides next level of security from hackers to SSH server. This article will help you to how to protect your SSH server with an two-factor authentication using Google Authenticator PAM module. Now Every time when you try to ssh to your server, you have to generate code using your phone or other devices go get login.
Step 1: Setup Required Repository
First we need to add RPMForge yum repository in your system. Add this repository using one of the following commands.
CentOS/RHEL 6, 32 Bit (i686): # rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm CentOS/RHEL 6, 64 Bit (x86_64): # rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Step 2: Install Google Authenticator
Install Google authenticator using yum command line tool.
# yum install google-authenticator
Step 3: Configure Google authenticator
For this tutorial, I am using demo account for testing. Use below steps to configure google-authenticator for user demouser1.
# su - demouser1 $ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DWUGQECLUOFLAEAAZ Your new secret key is: WUGQECLUOFLAEAAZ Your verification code is 002879 Your emergency scratch codes are: 52979690 49230818 19888375 80196807 17714397 Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Google Authenticator will show you with a secret key and many “emergency scratch codes.” Emergency codes can only be used one time in case of you secret key lost, so write down them to a safe place.
Use Google Authenticator Application in your Android, iPhone or Blackberry phones to generate verification code by entering secret key. You can also scan the bar code provided in url to do it.
You may also used Java based applications to generate verification codes. Use below link to get details.
Step 4: Activate Google authenticator
To enable google authenticator edit /etc/pam.d/ssh and add below line at line 1. It will enable Google authentication while login using ssh.
auth required pam_google_authenticator.so
Edit /etc/ssh/sshd_config and Change ChallengeResponseAuthentication option value to ‘yes’. On enabling of this scheme, openssh could ask a user any number of multi-facited (Like google authenticator) questions. Like Generally system asks only for the user’s password only.
Finally restart SSH service
# service sshd restart