Using Google-Authenticator for free two-factor ssh authentication

Posted on February 12th, 2012 by Luke Sheldrick.
Categories: IT / Tech.
Tags: , , , , , , , , , .

12 02 2012

I’d consider myself a pretty security conscious person, so most of my stuff is either firewalled off, can only be access via a VPN, or requires a key of some sort (ssh keys), except for one box. That one box, is the weak kink in the chain, but is there out of convenience. I have a box out there I can jump to, connect in with a password, and then get to everything else. However I hate having the weak kink. The only reason I have it, is if I am not somewhere where I have access to say my laptop, I can still jump on a shared machine say, and connect back to my kit.

Last week I was on a course, and couldn’t use my laptop, so was using one of the training centre’s computers. Throughout the course, I’d check my emails, irc, etc etc. Just using their standard installed putty, connecting back to my server via ssh. However how do I know what they have installed on their hotdesk computer? for all I know, they could have a keylogger sitting there happily recording my password. (Noted: a bit paranoid). On the way home from the course, I really wasn’t happy with that risk, so when I got home, I naturally changed the password, checked logs, no access seen, so happy for now. However needed to find a way to fix this.

Googled about for a bit, then stumbled on Google-Authenticator, now I had read about this being released for google accounts, so two-factor auth to check your GMail..etc however what I hadn’t realised is they had released a PAM (Pluggable Authentication Module) to work with their authenticator. Neat! I span up a VM in my lab, and had a play, and was very very easy to get the module installed, and working with SSH.

After compiling the PAM module, installing, updating the PAM config, and SSHd’s, you’re pretty much ready to go. Users on the server have to enroll using the google-authenticator binary, which asks them a series of question, then presents URL,which displays a QR code. Crank up the authenticator app on your favourite smart phone, and it should add the OTP config, and start generating OTPs. Depending on if you chose time based or generated OTPs, you’ll see a countdown clock (until the next code) or a button to request a new code.

There are some really good guides on setting this up so I won’t duplicate. I’ve got it running on my Ubuntu jump box, and a few CentOS servers in my lab. Seems perfectly stable so far. What I do like about this OTP solution vs some others such as RSA, is it doesn’t need to ‘call home’, so if for some reason the server is isolated from the internet, I can still authenticate using the OTP, as it’s based on RFC 4226 so is time based.

I have read a few places that GA and SSH keys cannot be used together, and you should disable KeyAuthentication. Both can work alongside each other, however OpenSSH sees them as separate things. So if I try to authenticate using my private key, it will accept that, and ask for no further authentication. However what I think what people are saying here, is that if you want to still be challenged for your OTP when using your key, this wont fit your requirements. For me, if I have my key, that is enough for me.

One thing I did put in place, which stops a bit of a chicken and egg situation, is that if you have’t enrolled with google-authenticator on the jump box yet, you can still authenticate just using your password. I’ve given some people access to the jump box for various reasons, and not all use keys, so once I had implemented the dual-auth, some of them couldn’t connect, to be able to setup google-auth, ops. To get this to work you need to add nullok to your PAM config line. I also added a string to print the code as you’re typing.

Your PAM config (eg /etc/pam.d/common-auth) should have a line like for this to work.
auth    required               nullok echo_verification_code

You can get the modules over at google code. All in all, a pretty neat solution to my issue, whatever machine I log in now, sure you can steal my password, but unless you also have my unlocked phone, to generate you a new OTP, you won’t be able to get in. The weak link is now a bit stronger  :mrgreen:


1 of 11