SSH: Two Factor Authentication
I currently have a Ubuntu Server 12.04 running OpenSSH along with Samba and a few other services. At the current time I have public key authentication set up, and I'm wondering if it's possible to set up two factor authentication? I've been looking at Google Authenticator which I currently use with my Gmail account.
I've found a PAM module that looks like it will be compatible however it seems that you are forced to use a password and the code generated.
I'm wondering if there is a way to use the Google Authenticator Application (or something similar) along with my public key to authenticate into my SSH server?
Red Hat have added a patch to OpenSSH in RHEL (and therefore CentOS) 6.3 to require multiple authentication mechanisms, so you can do something like this:
RequiredAuthentications2 publickey,keyboard-interactive
See the release notes for not much more detail.
Unfortunately this feature doesn't seem to be in OpenSSH upstream nor Ubuntu 12.04, so unless you want to find the patch and recompile OpenSSH I'm afraid you're out of luck.
You are looking for Duo Security
You can use both the Google Authenticator PAM module and public keys, but only one at the time will be used for a given authentication. That is, if a user logs in with an authorized public key, no token will be required.
Or, to say it otherwise: tokens are only required for password authentications, not SSH keys.
This limitation does not come from the Google Authenticator module by the way, but from SSH, which only implements two factor authentication (via ChallengeResponseAuthentication
) for PAM, but doesn't call PAM when a valid public key is provided.
This question is from 2012. Since, SSH has changed and the SSH2 protocol has been implemented.
On more recent versions of SSH ( >= 6.2), man sshd_config mentions:
AuthenticationMethods
Specifies the authentication methods that must be successfully completed for a user to be
granted access. This option must be followed by one or more comma-separated lists of
authentication method names. Successful authentication requires completion of every method
in at least one of these lists.
For example, an argument of ``publickey,password publickey,keyboard-interactive'' would
require the user to complete public key authentication, followed by either password or key-
board interactive authentication. Only methods that are next in one or more lists are
offered at each stage, so for this example, it would not be possible to attempt password or
keyboard-interactive authentication before public key.
This option is only available for SSH protocol 2 and will yield a fatal error if enabled if
protocol 1 is also enabled. Note that each authentication method listed should also be
explicitly enabled in the configuration. The default is not to require multiple authentica-
tion; successful completion of a single authentication method is sufficient.
This page http://lwn.net/Articles/544640/ also mentions the possibility of using a publickey and a PAM authentication at the same time.
I know this question is a little stale, but for the sake of future people (myself included) who are looking for a solution, there's also talk of using the ForceCommand option in the sshd_config file to run a script which then performs the authentication. There's an example script here you can modify a bit to your needs, although in that example he calls it from the authorized_keys file instead of making it system-wide with sshd_config's ForceCommand.