24 thoughts on “Use Google Authenticator For Two-Factor SSH Authentication in Linux

  1. jstn

    this is great, but you’re already using key based auth, right? 😉

    Reply
    1. iddles

      SSH keys with passphrases are more vulnerable on compromised systems. If you run a dodgy script it could read your ~/.ssh/id_rsa.pub file and also do some key-logging to get your passphrase. With google authentication the verification code originates outside the system; on your phone either by SMS or an app, which is much harder for a hacker / virus to get hold of.

      Reply
      1. djm

        That isn’t entirely correct. A compromised client can steal OTP codes just as easily as they could keys (perhaps even more easily, e.g. if the key is held in ssh-agent).

        The difference is that a stolen OTP code has a shorter useful lifetime than a stolen key, though the difference is often moot – a competent attacker only needs to steal access once to backdoor an account.

        BTW it’s possible to require key+password (or even key+password+OTP) authentication via the sshd AuthenticationMethods option that was added in openssh-6.2.

        Reply
        1. Mathew Paret

          Hi djm,

          I am using Key based authentication to access my VPN. I would like to use Key+OTP. From your previous statement it seems possible. Please let me know how. Key based auth is already configured. So do I just need to configure OTP access as said above and will it start working with KEY? Or are there any additional steps needed?

          Thanks & Regards
          Matt

          Reply
          1. Mathew Paret

            Correction: Using VPS (not VPN)

          2. djm

            First you need to be using openssh-6.2 or greater. You should follow the configuration above to get OTP+password working and ensure that public key works as well.

            Then add “AuthenticationMethods publickey,keyboard-interactive” to sshd_config and restart sshd. Your client will then be required to complete public key authentication before being offered the OTP/password prompts.

  2. Mark

    I’m not getting prompted for 2nd auth factor.

    I just installed openssh-server and ChallengeResponseAuthentication was already in sshd_confing.

    $ grep ChallengeResponseAuthentication /etc/ssh/sshd_config
    ChallengeResponseAuthentication yes
    # be allowed through the ChallengeResponseAuthentication and
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # and ChallengeResponseAuthentication to ‘no’.

    I’ve added pam_google_authenticator.so to sshd as directed, an then restarted the daemon.

    $ grep pam_google_authenticator /etc/pam.d/sshd
    auth required pam_google_authenticator.so

    I’ve logged the output from ssh -vv here: http://pastebin.com/MKskrtFc

    Can you see why it’s not working?

    Reply
    1. DicBob

      You may have to add usePAM = yes to sshd config.

      Reply
        1. djm

          set PasswordAuthentication=no in sshd_config; it is being offered ahead of challenge response.

          Reply
        2. Scott Miller Post author

          For public key + google auth, use this in your /etc/ssh/sshd_config:

          AuthenticationMethods publickey,keyboard-interactive
          

          Edit: Only in openssh 6.2 or later which hasn’t hit the distros yet.

          Cheers,

          Reply
          1. JT

            I know this thread is old, but I’m trying to do (password-less) pubkey & OTP. I tried this and couldn’t get auth to work with just pubkey and OTP. (My private key has a password, but I don’t want my login to prompt for my remote account password).

            Anyone have any advice for getting it set up this way?

            I posted the question on serverfault, but haven’t had any responses as of yet. Possibly because it’s not supposed to work that way?

            http://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o

    2. Andy

      It looks like you’re using OpenSSH 6.1, but to use both the authenticator and SSH keys I think you need 6.2+

      Reply
  3. Slinkwyde

    Your post makes it seem like Google Authenticator is only for Android, but it’s also available for iOS and BlackBerry.

    Good how-to and good to know this is possible.

    Reply
    1. Anonymous

      While Google’s Authenticator app isn’t on Windows Phone, Microsoft’s Authenticator app will work with this as well since Microsoft’s app implements the same RFC standard that Google’s does.

      Reply
  4. Blaasvaak

    I get the verification prompt after I filled in the passphrase but it lets me through no matter what I enter for varification.

    Reply
    1. Scott Miller Post author

      Thank you! Tested and now post updated. Do not use ‘auth optional’ in /etc/pam.d/sshd.

      Use auth required

      Cheers,

      Reply
  5. Puzzled

    this doesn’t work for me, when I make the suggested changes, then the password starts failing and I’m never prompted for google auth verification? reversing the changes allows me to login as normal again.

    Reply
  6. jason

    lol like a idiot i followed this guide only i thought hey microsoft authenticaor ( since i have a windows phone that googlge dont want to put apps out on) used that and now im locked out of my admin account … the only one on the server …. i feel so stupid

    Reply
    1. Simon McKenzie

      Hi Jason,

      Microsoft Authenticator works exactly the same as Google Authenticator (they both implement RFC 6238), so you should be OK. Maybe your clocks weren’t accurately synced at the time – you may find that noting down the current code from your phone and entering it a minute later, or entering a fresh code as soon as it’s generated could do the trick…

      Cheers,

      Simon

      Reply
  7. Frank

    What happens when a user has not set a Google Authenticator? Can he sign on as usual?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.