How can I use a passcode generator for authentication for remote logins?

ssh security authentication pam

Solution 1:

One way to do this is with a tool provided by Google called Google Authenticator.

  1. Install libpam-google-authenticator Install libpam-google-authenticator

    • or just sudo apt-get install libpam-google-authenticator

  2. Edit /etc/pam.d/sshd to include the module:

    • sudoedit /etc/pam.d/sshd

    • and then include this line at the top of the file and save:

      auth required pam_google_authenticator.so

  3. Edit your SSH config file to turn on the challenge:

    • sudoedit /etc/ssh/sshd_config and then change the response authentication from: 

      ChallengeResponseAuthentication no

      to

      ChallengeResponseAuthentication yes

      and then save the file.

  4. sudo restart ssh to restart SSH

  5. Run google-authenticator

    • This will give you your secret key, verification code, and emergency scratch codes. It will also ask you some rate limiting questions.

Mobile Applications:

You'll need one of these to receive the authentication code on another device.

  • Android App
  • iPhone App

Related and Useful:

  • Most of this answer is derived from this blogpost by Jean-Francois Theroux but updated.
  • Google Authenticator Wiki
  • http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html
  • http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html
  • It is my understanding that if you're using passwordless logins via SSH keys that you can only do one or the other, see this question: How can I set up password-less SSH login?
  • And if you're using Puppet, there's a puppet module here: https://github.com/camptocamp/puppet-googleauthenticator
  • See Maarten's answer and link to github issue on why you need to add the .so line at the top of your pam config: https://askubuntu.com/a/668398

Note that combining a password with single-use passcodes is two-factor authentication: it combines “what you know” (a password) with “what you have” (the passcode generator device). On the other hand, if you combine single-use passcodes with an SSH key pair, it's all about “what you have”. When two authentication factors are of the same type, you do not have two-factor authentication; this is sometimes called “one-and-a-half-factor authentication”.

Solution 2:

Google Authenticator is fine for your personal servers but you might find that it doesn't tie in well with your existing identity infrastructure. If you want to explore other options think about using RADIUS as an authentication protocol and the pam-radius plugin. All the enterprise-oriented two-factor authentication systems support radius. We have written a doc on how to add WiKID two-factor authentication via pam-radius to Ubuntu.

Using radius allows you to tie in other systems besides SSH to the same authentication server. You can also route auth requests through freeradius to LDAP and then to your 2FA server to separate authorization from authentication. You can do the same with AD btw.

Related

Is it safe to answer "erase disk and install Ubuntu" on a virtual machine?
How to cross compile for ARM?
How to disable the alt-hotkey behavior on gnome terminal?
Can I disable full-disk encryption?
How can I copy&paste from the host to a KVM guest?
Host alias for ssh
"Boot Error" on live-usb flash drive with 15.10
How to fix broken packages on Ubuntu
Start Process as normal user powershell
How to determine which packages need upgrading in Arch Linux?
Log4j - Older app on Windows server using JRE 1.8.0.x - is it impacted?
What would initiate MariaDB to start to resolve IP addresses?