Setting up Google Authentication for SSH Multi-Factor Auth
In this tutorial we will go over how to setup two factor authentication for SSH using google-authenticator on CentOS 6.
First thing we need to do is install the google-authenticator package using yum.
yum install google-authenticator
Next, run google-authenticator to genereate a key.
google-authenticator https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://email@example.com%3Fsecret%3D3FO6WYXPZUMTEWUB Your new secret key is: 3FO6WYXPZUMTEWUB Your verification code is 799347 Your emergency scratch codes are: 84194653 29899626 13794318 84024610 76941184 Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)
With this information, you will need to install the google authenticator application on your phone. Copy and paste the URL at the beginning of the output from
google-authenticator, which should show you a QR code. Scan this code using the Google Authenticator application on your phone. You will now see a 6 digit number in your Google Authenticator app. This number will change every certain ammount of minutes. This number will be your second authentication method when logging into your server. If you ever lose your secret key and need to setup another phone, you can always run the
google-authenticator command again to regenerate.
Next, we need to setup pam to use google_authenticator for authenticating users.
Open up the pam ssh configuration file.
sudo vim /etc/pam.d/sshd
Then add the following lines at the bottom.
## Google autehnticator for ssh auth required pam_google_authenticator.so
Next, we need to add the
ChallengeResponseAuthentication yes option to the
# Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no
Now restart sshd for the new changes to take affect.
sudo service sshd restart
The first time I tried to set this up, I was unable to login using my authentication code. I would be prompted for a code when tried to initiate an ssh connection, but I would see this message in the logs and would not be let in.
Dec 28 17:49:43 web2p sshd(pam_google_authenticator): Invalid verification code
It turns out the problem was caused by the time on my testing server not being correct. Make sure you have ntp running and configured correctly.
To install and set ntp to auto start:
yum install ntp chkconfig ntpd on service ntpd start
Now run this command to manually force ntp to sync with
You can check the date on your server with the
date command to make sure ntp is working. After syncing my time, I was able to log into my ssh server using google authenticator without a problem.
Public Key Authentication
We decided that we wanted to allow users to login using either Google Authenticator, or a regular ssh Pulic Key. We generally use public keys for ssh authentication, but occasionally we will want to login to one of our servers from a machine we will only use once. Google Authenticator is a great compromise for this as it allows us to authenticate without an ssh key, but still maintains our security.
To ensure sshd will allow authentication from either the Google Authenticator module in pam, or an ssh key, uncommend the following lines in
PubkeyAuthentication yes ChallengeResponseAuthentication yes PasswordAuthentication yes UsePAM yes
The changes we made to
/etc/pam.d/sshd should only effect the password authentication portion of the ssh login process. If
PubkeyAuthentication yes is set, ssh should approve your ssh key authentication without reaching out to pam and requiring two factor authentication.
In our next article, we will go over how to allow users to login once before google-authentication is enforced.