By Alasdair Lumsden on 19 Sep 2013
Google Authenticator is a Two Factor Authentication application for mobile devices, which can be used to enhance login security, such as SSH logins to servers. I recently blogged about doing this with Yubico Yubikeys, but what’s really neat about Google Authenticator is the fact that you don’t need to carry around anything more than just your mobile phone, something most of us have with us at all times.
Our main interest in Google Authenticator is to secure SSH, and the quickest method of achieving this is via PAM. PAM is a standard part of most UNIX platforms including SmartOS, so all we had to do to facilitate this was to add Google Authenticator to our package repository.
Installing & Configuring the PAM Module
The first step is to install the PAM module, which you can simply do as follows:
# sudo pkg install -v library/security/google/google-authenticator-pam Packages to install: 1 Create boot environment: No Rebuild boot archive: No Changed fmris: None -> pkg://email@example.com,5.11-0.162:20130918T115736Z Services: None DOWNLOAD PKGS FILES XFER (MB) Completed 1/1 5/5 0.1/0.1 PHASE ACTIONS Install Phase 16/16 PHASE ITEMS Package State Update Phase 1/1 Image State Update Phase 2/2 PHASE ITEMS Reading Existing Index 8/8 Indexing Packages 1/1 Deleting content cache
The PAM module is installed to /ec/lib/security/pam_google_authenticator.so. The first step is to tell PAM to use it, so simply add the following lines to the bottom of /etc/pam.conf:
sshd auth required /ec/lib/security/pam_google_authenticator.so
Next, we must configure Google Authenticator for each user that needs to log into the system. This involves generating a unique key that you can use with the Google Authenticator application. To do this, simply run the following as the user you SSH in as (I’ll skip a description of the options, as they are fairly self-explanatory):
# google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/alasdair@XXXX%3Fsecret%3D2OFCOABA5XLARMW5 Your new secret key is: 2OFXXXXXXXXXXW5 Your verification code is 9XXXX5 Your emergency scratch codes are: 34XXXX14 59XXXX81 42XXXX31 74XXXX42 52XXXX04 Do you want me to update your "/home/alasdair/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
You’ll need to get each user that needs to login to do this. The next step is to use the secret key with the Google Authenticator app. Simply go to “Add an account”, then “Enter key provided”, and enter the Secret Key from above.
Once the app is generating one time passwords, you can enable PAM inside OpenSSH and tell it to use the correct kind of authentication. First, make sure you’re using OpenSSH rather than SunSSH:
alasdair ~ (smartbuild01.alasdair): svcs -a | grep ssh disabled 8:20:16 svc:/network/ssh:default online 8:20:22 svc:/network/openssh:default
You have a choice of using Google Authentication along with any of the other SSH authentication methods, for example password or SSH key. My preference is to use it in conjunction with an SSH key, with passwords disabled. So to do set this up, edit edit /ec/etc/ssh/sshd.conf and ensure the following settings are set:
PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive
The “AuthenticationMethods” option is new to OpenSSH 6.2, so you’ll need to make sure you’re on this version to do this. Without it, you’re stuck using password authentication and PAM.
Now when I log in, it first authenticates via my SSH key, then prompts for the Google Authenticator code. Perfect :-)