Protect ssh with Google Authenticator on Ubuntu 14.04 LTS

The tutorial is about how we can protect ssh with Google Authenticator on Ubuntu 14.04 LTS server . Google authenticator is a security application which implements time based one time password (TOTP) security tokens. It is often also called as “Two steps verification” .

The server in which Google Authenticator has been setup , to get ssh access to this server require username, password and secret key (Generated by google authenticator application) .

We have setup the Google Authenticator in AWS Ubuntu 14.04 LTS server instance . Below given is roadmap –

1. Install Google Autheticator package.
2. Configure PAM sshd configuration file.
3. Configure ssh server.
4. Create system user and set password.
5. Generate QR code , secret key and verification code for newly created user.
6. Reference for Google Authenticator application in your mobile, Desktop (Linux or Ubuntu) .
7. Access the server via ssh with username

1. Install Google Autheticator package

Login into Ubuntu server and install the google authenticator package.

sudo apt-get update
sudo apt-get install libpam-google-authenticator

2. Configure PAM sshd configuration file

We will edit the PAM’s sshd config file. We will take the backup of this file first.

sudo cp -pvf /etc/pam.d/sshd ~/sshd.original.pam.`date +%F`

Now edit the PAM sshd file and configure the Google authenticator module in it.

vi /etc/pam.d/sshd

## Add the below given line in top of /etc/pam.d/sshd file
auth required pam_google_authenticator.so

The below given is reference from our server. So it will help you at what position the line should be added.

ubuntu@ip-172-31-62-100:~$ egrep -v '^#|^$' /etc/pam.d/sshd
@include common-auth
auth required pam_google_authenticator.so
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password
ubuntu@ip-172-31-62-100:~$

3. Configure ssh server

Now we are configuring the ssh server and edit the sshd_config file. This is also one of the important steps so that it can work with Google Authenticator module which we have set in PAM.

As always next step, take the backup of sshd_config file.

sudo cp -pv /etc/ssh/sshd_config sshd_config.orig.`date +%F`

Now to make it work with google authenticator, edit the sshd_config file and set the parameters as given in below section –

sudo vi /etc/ssh/sshd_config

# edit the below given parmaters
ChallengeResponseAuthentication yes
PasswordAuthentication yes
UsePAM yes

After saving the sshd_config file. Restart the ssh server

sudo service ssh restart

3. Create system user and set password

Now we will create one user and set its password in server. Then we will generate QR code and keys used by this user for login into server .

For giving example, we are creating a user called sharad and setting its password. Replace the username sharad with your desired username in system .

sudo useradd -m -d /home/sharad sharad
sudo passwd sharad

5. Generate QR code , secret key and verification code for newly created user

As we have seen in above 4th step, we have created a user called sharad. Now we will generate the QR code and its keys. Generating the QR code and keys is very simple method.

Login to user by using su command in server . (Note: We are still in Server)

sudo su -l sharad

Now we will generate code and keys by using below given command from user’s shell.

google-authenticator

It will generate QR code and keys. We would like to share the screenshot taken from our server. Hope it will help you to understand more easily.

Google Authenticator

6. Reference for Google Authenticator application in your mobile, Desktop (Linux or Ubuntu)

To generate verification code , we have to install Google Authenticator apps in our Mobile phones or system .

With this Google Authenticator apps verification code will be generated.

We will talk about how to use Google authenticator apps on your system in new upcoming post with more details.

7. Access the server via ssh with username

Now access the server with user which you have created and generated its QR codes and keys.

It will ask for the password which you set in server and verification code which you will generate from Google authenticator apps.

See the below given reference from our system

sharad@linuxworld:~$ ssh sharad@ec2-52-1-130-111.compute-1.amazonaws.com
Password: 
Verification code: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-44-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Mar  1 15:25:29 UTC 2015

  System load:  0.0               Processes:           109
  Usage of /:   10.2% of 7.74GB   Users logged in:     1
  Memory usage: 7%                IP address for eth0: 172.31.62.251
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud


Last login: Sun Mar  1 15:25:29 2015 from 49.205.123.226
$ 
$ 
$ 
Connection to ec2-52-1-130-111.compute-1.amazonaws.com closed.
sharad@linuxworld:~$

2 thoughts on “Protect ssh with Google Authenticator on Ubuntu 14.04 LTS”

  1. Is there a way to exempt a subnet or known IP address? That way the verification is only active for IP’s other than you normal internal LAN, etc?

    Bob

Comments are closed.