ssh with passphrase, fallback to Google Authenticator

With the introduction of Google Authenticator and the ability to use it with ssh I was wondering if someone has gone through a sshd_config setup which would

  • first expect a key
  • if this fails, fall back to an authentication with Google Authenticator

The idea being to usually connect seamlessly with a key and, usually in less friendly environments, connect with a two factor mechanism.


Solution 1:

Yes, I have a setup where I can ssh to my server using public key authentication, with a fallback to two-factor authentication with Google Authenticator + password when my private key is not available. These are the steps you can use to set it up.

Installing Google Authenticator

My server is running Ubuntu Bionic Beaver (18.04.1). You can install Google Authenticator using apt:

$ sudo apt install libpam-google-authenticator

Configuring sshd

Open /etc/pam.d/sshd and add the following line at the top:

auth optional pam_google_authenticator.so

Open /etc/ssh/sshd_config and change one line. The existing line is

ChallengeResponseAuthentication no

and you should change it to

ChallengeResponseAuthentication yes

Configuring Google Authenticator for Your Account

The next step is to turn on Google Authenticator for your account. You do this by simply running:

$ google-authenticator

Make sure you run this as the user who will be making ssh connections, not root. Make a note of your new secret key and your emergency scratch codes. The wizard will ask you several questions to configure the security settings for your account.

Configuring Your Mobile App

I use the Google Authenticator app for iPhone. This app has a [+] button that allows me to add a new Time Based Token using the secret key I obtained from the google-authenticator command on my server. It was trivial to set up. I can't help you with apps on any other platform, but I imagine the process is equally simple.

Pulling the Trigger

The last thing you need to do is restart sshd.

$ sudo /etc/init.d/ssh restart

At this point, when you try to connect to the server when your private key is available, authentication just works. When your private key is not available, you will get a prompt for a verification code, then your account password.

Bingo, two-factor authentication.