Two Factor Authentication with Google Authenticator on SmartOS

By Alasdair Lumsden on 19 Sep 2013

GoogleAuthLogo

Google Authenticator is a Two Factor Authentication application for mobile devices, which can be used to enhance login security, such as SSH logins to servers. I recently blogged about doing this with Yubico Yubikeys, but what’s really neat about Google Authenticator is the fact that you don’t need to carry around anything more than just your mobile phone, something most of us have with us at all times.

Our main interest in Google Authenticator is to secure SSH, and the quickest method of achieving this is via PAM. PAM is a standard part of most UNIX platforms including SmartOS, so all we had to do to facilitate this was to add Google Authenticator to our package repository.

Installing & Configuring the PAM Module

The first step is to install the PAM module, which you can simply do as follows:

# sudo pkg install -v library/security/google/google-authenticator-pam
               Packages to install:     1
           Create boot environment:    No
              Rebuild boot archive:    No
Changed fmris:
  None -> pkg://smartos.pkg.ec/library/security/google/google-authenticator-pam@1.0,5.11-0.162:20130918T115736Z
Services:
  None
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1         5/5      0.1/0.1

PHASE                                        ACTIONS
Install Phase                                  16/16

PHASE                                          ITEMS
Package State Update Phase                       1/1
Image State Update Phase                         2/2

PHASE                                          ITEMS
Reading Existing Index                           8/8
Indexing Packages                                1/1
Deleting content cache

The PAM module is installed to /ec/lib/security/pam_google_authenticator.so. The first step is to tell PAM to use it, so simply add the following lines to the bottom of /etc/pam.conf:

sshd    auth required          /ec/lib/security/pam_google_authenticator.so

Next, we must configure Google Authenticator for each user that needs to log into the system. This involves generating a unique key that you can use with the Google Authenticator application. To do this, simply run the following as the user you SSH in as (I’ll skip a description of the options, as they are fairly self-explanatory):

# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/alasdair@XXXX%3Fsecret%3D2OFCOABA5XLARMW5
Your new secret key is: 2OFXXXXXXXXXXW5
Your verification code is 9XXXX5
Your emergency scratch codes are:
  34XXXX14
  59XXXX81
  42XXXX31
  74XXXX42
  52XXXX04

Do you want me to update your "/home/alasdair/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

You’ll need to get each user that needs to login to do this. The next step is to use the secret key with the Google Authenticator app. Simply go to “Add an account”, then “Enter key provided”, and enter the Secret Key from above.

GoogleAuthenticatorScreenShots

Once the app is generating one time passwords, you can enable PAM inside OpenSSH and tell it to use the correct kind of authentication. First, make sure you’re using OpenSSH rather than SunSSH:

alasdair ~ (smartbuild01.alasdair): svcs -a | grep ssh
disabled        8:20:16 svc:/network/ssh:default
online          8:20:22 svc:/network/openssh:default

You have a choice of using Google Authentication along with any of the other SSH authentication methods, for example password or SSH key. My preference is to use it in conjunction with an SSH key, with passwords disabled. So to do set this up, edit edit /ec/etc/ssh/sshd.conf and ensure the following settings are set:

PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

The “AuthenticationMethods” option is new to OpenSSH 6.2, so you’ll need to make sure you’re on this version to do this. Without it, you’re stuck using password authentication and PAM.

Now when I log in, it first authenticates via my SSH key, then prompts for the Google Authenticator code. Perfect :-)

SuccessfulLogin