Security

Two-factor SSH authentication via Google secures Linux logins

Vincent Danen details the steps of setting up Google two-factor authentication for SSH.

When Google introduced two-factor authentication for the Google and Google Apps accounts, they also created a pluggable authentication module (PAM) for Linux. This is great news for people running Linux servers who want to protect their remotely-accessible SSH accounts with two-factor authentication. For free.

Two-factor authentication is where you authenticate to a service with two pieces of information: one you know, and one you don't. The information you know is your password (which can be stolen) while the information you don't know is a randomly-generated PIN number that changes every 60 seconds. So even if your password is stolen or discovered, unless an attacker has the means to get the right PIN (tied to a hardware device), they cannot log into the protected service.

Google has created the Google Authenticator application for iPhone, Android, and Blackberry -- effectively turning your phone into your hardware token device. Before you can make use of two-factor authentication to secure your Linux logins, you will need to enable it in your Google account (I also wrote a tip on setting up Google two-factor authentication for users of Mac/iPhone).

Once two-factor authentication is enabled and working with your Google or Google Apps account, you can begin setting up the same for your Linux server. To do so, you will need to download and compile the PAM module for your system. The examples here will be based on Fedora 14, but it should be easy enough to figure out the equivalents for whatever distribution you happen to be using. It also assumes you have sudo writes to run anything as root; if that is not the case, su to root to run those commands (as root) that are prefixed with sudo. You will need mercurial installed to initially check out the code.

$ sudo yum install pam-devel
$ hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
$ cd google-authenticator/libpam/
$ make
$ sudo make install
$ sudo vim /etc/pam.d/sshd

Once the PAM module and the command-line google-authenticator application are installed, you need to edit the /etc/pam.d/sshd file to add the module, so it may end up looking like:

  auth required pam_sepermit.so
  auth required pam_google_authenticator.so
  auth include  password-auth

This sets up two-factor authentication for SSH. It is also possible to do the same for gdm, requiring the use of two-factor authentication to log in locally.

When that is done, as the user that you want to require two-factor authentication for, run the google-authenticator application, which will create a new secret key in your home directory:

% google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
  67868696
  26247332
  54815527
  54336661
  71083816
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

In your browser, load the URL noted above; it will show a QRCode that you can scan into your phone using the Google Authenticator application for iPhone, Android, or Blackberry. If you already have a Google Authenticator token being generated on your phone, you can add a new one and it will display them both (and distinguish them by name).

One quick tip: time is _very_ important, so the server you are logging into should have an NTP client installed in order to keep the time accurate. Keep an eye on this; if you are having trouble you may have to open the window size as noted by google-authenticator.

You will also need to edit /etc/ssh/sshd_config to enable "ChallengeResponseAuthentication" and "UsePAM" (set them both to "yes").

Restart sshd after making any changes to the file.

When this is done, try logging into the system via SSH:

% ssh server
Verification code:
Password:
Last login: Tue May 10 11:54:21 2011 from client.example.com

You must provide the verification code as presented by your phone in order to log in. Even if the password is known, without the verification code, the login will fail. Also note that you will be unable to use this if you use ssh private/public keys as the two are mutually exclusive (key-based logins get a passphrase prompt client-side and never provide a password to the server).

Setting up two-factor authentication for SSH is surprisingly simple, thanks to Google. It only takes a few minutes to set up, the infrastructure and tools are free, and the security gains are great.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

18 comments
kimiss
kimiss

MySpace's biggest failure is design. Visually, it's horrific at worst and unappealing at best. The decision to allow non-designers (i.e. users) to add style sheets and animated images to their pages is what lost me. Half the time i couldn't read a users post because they'd have white text on an animating gray background. It's basically a bad version of 100,000 GeoCities / AOL hometown sites all tied up together. fap turbo

espegro
espegro

Just a tip, you may run into SELinux problems on RHEL 6.x. If you set up GA with the example in the README file Using a local path for home directorys with .google-authenticator files. auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google-authenticator You may get problems with SELinux, sshd will not be able to update the files in /var/unencrypted-home..... This can be solved by changing the SELinux type of the directory: #semanage fcontext -a -t ssh_home_t '/var/unencrypted-home(/.*)?' And then to a relable after changes: #restorecon -Rv /var/unencrypted-home Espen

dugsong
dugsong

As an OpenSSH author (see the ssh manpage :-) I'm somewhat biased, but encourage folks to check out Duo Security instead: http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/ It's much easier: - Phone call, SMS, smartphone push, in addition to free mobile apps on 7 platforms - Self-service enrollment with no command-line tools to run or accounts to set up More flexible: - Also works to protect SSH pubkey authenticaiton, which PAM modules cannot - and doesn't even require restarting sshd! Not just for Linux: - Protect your Solaris, MacOS X, *BSD, etc. boxes; Cisco, Juniper, etc. VPNs, web applications, etc. - All open source code at https://github.com/duosecurity And free for up to 10 users. It is our way of giving back to the security and systems communities we've been part of for decades.

bond.masuda
bond.masuda

apparently the makefile only tests for /usr/lib/libdl.so so it can't find the functions in that library on 64bit installations (/usr/lib64/libdl.so). the build itself works fine if you do it manually (add -ldl)... or fix the makefile.

WDMilner
WDMilner

Google collects too ... dern...much information alreayd. I won't give them my phone number - and I certainly don't want them anywhere near my servers let alone my secure logons. You want security you go to security specialists - you want groceries, try the local market.

valduboisvert
valduboisvert

At least for my servers. My phone though is another story. Although I have to admit I do not use my phone for doing online transactions or even checking bank accounts or something else. Smartphone security is still in an infant stage imho. pace

jlsjonas
jlsjonas

tittle says it all... I'd like to use it to protect my netbook/laptop a little more; being able to add this on my normal logon screen would help :) (I know... format & you're good to go; but would protect from password-peeking by co-students) edit: also, if someone knows how to implement this on RDP to win server 2008; would help me aswell :)

bblackmoor
bblackmoor

"PIN" is an acronym. The third letter of "PIN" stands for "number". Saying "PIN number" is the same as saying "personal identification number number".

pgit
pgit

Is there anything google gets out of this? eg is there a potential for a back door? Session stealing? I understand the real enhancement inherent in a two-factor auth, but this particular third party automatically raises doubts. Something tells me to beware any "help" from google. I'll keep using my ssh keys...

cepler
cepler

Duo Security is great and free for small setups. The one major limitation right now on the iOS app is that it only supports push and code generation when linked with one site or "integration" as they call it. To change it to another one you have to delete the app, reinstall and re-integrate it with your account, unlike Google which allows multiple codes in one app. They've indicated this is a feature that they are working on, and phone/sms auth still works but multi-site push notifications would be very nice to have. The push notifications are quite fast and easy to do.

pgit
pgit

I'll take this opportunity to thank one of the generous, capable developers of by far my favorite software of any kind. A big "THANK YOU," may wealth, health and happiness litter your path! I couldn't live without OpenSSH, it's far too useful to enumerate the benefits here... And given all that, you bet I'll check out duo. Thanks for the tip... =)

Harmil
Harmil

Do you have an alternative in mind? Google provides fast, reliable two-factor authentication in source code form. Seems ideal to me. As for information collection... I don't think your one-time keys are terribly interesting to Google. The reason they're providing this for free is to improve the overall security of the Web. If you think about it from their perspective, being the dominant search and advertising player on the Web puts Google in an interesting spot. Any change that they make that increases reliability and security of the Web is likely to increase use, and increased use translates to increase user-base for Google search and advertising. It's actually in their best interests to make the Web faster, more reliable and more secure. That's why you see efforts like this, GWT and their Webmaster tools.

AnsuGisalas
AnsuGisalas

it also sounds strange. PIN code, yes. PIN number, not so much.

bigvalen
bigvalen

Yes, you can keep your SSH keys. It's a second factor, so you need this + your SSH keys. As long as you don't give them to Google, or leave them unencrypted, you'll be more secure with Google 2Factor.