scottlinux.com | Linux Blog
Follow us on Twitter Follow us on rss
Skip to content
  • Home
  • About
  • Contact
  • iperf

Use Google Authenticator For Two-Factor SSH Authentication in Linux

By Scott Miller | 2013/06/02
24 Comments

For a very secure and convenient way to add two-factor ssh auth to your Linux server, you can use Google Authenticator. I’ll show you how to set this up!

1. In Ubuntu 13.04:

$ sudo apt-get install libpam-google-authenticator
2. Then, from an open bash shell with your user account on that server run the following:

$ google-authenticator

Scan the bar code with your Android phone or iPhone to add the key. (Or alternatively, open the URL provided on your phone to add the key.)

Note: save the emergency scratch codes in case you need to access the server without your phone!

01-googleauth

I suggest answering the following to the questions that follow:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

3. Next, add this to the bottom of /etc/pam.d/sshd

auth required pam_google_authenticator.so

4. Next, make sure this is set to yes in /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

5. Restart ssh:

$ sudo /etc/init.d/ssh restart

Done!

Now you can login with two-factor auth (password and google authenticator)

stmiller@brahms:~$ ssh stmiller@172.16.1.148
Password: 
Verification code: 
Welcome to Ubuntu 13.04 (GNU/Linux 3.8.0-19-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Sun Jun  2 13:20:22 2013 from 172.16.1.202
stmiller@ubuntu1304:~$


Category: linux sysadmin Tags: google authenticator, linux two factor authentication, login, login security, openssh, security, ssh, ssh authentication, ssh security, two-factor, two-factor auth
Post navigation
← Install LibreOffice 4 with Debian Wheezy Backports Mitigate DoS Attacks in Linux with a blackhole route →

Subscribe to scottlinux.com | Linux Blog

IPv6 detector

Darn. Looks like you are still using IPv4. 62.210.77.51

    Show stats
    • Hide stats
      This server has received 9240911 hits from both ipv4 and ipv6.
      IPv494.1%
      IPv65.9%

    Topics

    administration android apache apt-get backup bash browser centos command line database debian dns email fedora firewall hard drive how to https impress your boss iptables ipv6 linux linux desktop mysql network networking nginx nmap openssl os x password php privacy redhat red hat security ssh SSL terminal tls ubuntu ubuntu server video web server wordpress
    Powered by Linode and Debian Linux!
    Support scottlinux.com | linode | hover | digitalocean |
    BTC donation 19Bgu5V281B2fbTFUHFcMCBwWLPVnLGNFe
    Copyleft 2018 scottlinux.com CC BY-SA 3.0
    ipv6 ready
    Iconic One Theme | Powered by Wordpress