How can I use a passcode generator for authentication for remote logins?
Solution 1:
One way to do this is with a tool provided by Google called Google Authenticator.
-
Install libpam-google-authenticator
- or just
sudo apt-get install libpam-google-authenticator
- or just
-
Edit
/etc/pam.d/sshd
to include the module:sudoedit /etc/pam.d/sshd
-
and then include this line at the top of the file and save:
auth required pam_google_authenticator.so
-
Edit your SSH config file to turn on the challenge:
-
sudoedit /etc/ssh/sshd_config
and then change the response authentication from:ChallengeResponseAuthentication no
to
ChallengeResponseAuthentication yes
and then save the file.
-
sudo restart ssh
to restart SSH-
Run
google-authenticator
- This will give you your secret key, verification code, and emergency scratch codes. It will also ask you some rate limiting questions.
Mobile Applications:
You'll need one of these to receive the authentication code on another device.
- Android App
- iPhone App
Related and Useful:
- Most of this answer is derived from this blogpost by Jean-Francois Theroux but updated.
- Google Authenticator Wiki
- http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html
- http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html
- It is my understanding that if you're using passwordless logins via SSH keys that you can only do one or the other, see this question: How can I set up password-less SSH login?
- And if you're using Puppet, there's a puppet module here: https://github.com/camptocamp/puppet-googleauthenticator
- See Maarten's answer and link to github issue on why you need to add the .so line at the top of your pam config: https://askubuntu.com/a/668398
Note that combining a password with single-use passcodes is two-factor authentication: it combines “what you know” (a password) with “what you have” (the passcode generator device). On the other hand, if you combine single-use passcodes with an SSH key pair, it's all about “what you have”. When two authentication factors are of the same type, you do not have two-factor authentication; this is sometimes called “one-and-a-half-factor authentication”.
Solution 2:
Google Authenticator is fine for your personal servers but you might find that it doesn't tie in well with your existing identity infrastructure. If you want to explore other options think about using RADIUS as an authentication protocol and the pam-radius plugin. All the enterprise-oriented two-factor authentication systems support radius. We have written a doc on how to add WiKID two-factor authentication via pam-radius to Ubuntu.
Using radius allows you to tie in other systems besides SSH to the same authentication server. You can also route auth requests through freeradius to LDAP and then to your 2FA server to separate authorization from authentication. You can do the same with AD btw.