The tutorial is about how we can protect ssh with Google Authenticator on Ubuntu 14.04 LTS server . Google authenticator is a security application which implements time based one time password (TOTP) security tokens. It is often also called as “Two steps verification” .
The server in which Google Authenticator has been setup , to get ssh access to this server require username, password and secret key (Generated by google authenticator application) .
We have setup the Google Authenticator in AWS Ubuntu 14.04 LTS server instance . Below given is roadmap –
1. Install Google Autheticator package.
2. Configure PAM sshd configuration file.
3. Configure ssh server.
4. Create system user and set password.
5. Generate QR code , secret key and verification code for newly created user.
6. Reference for Google Authenticator application in your mobile, Desktop (Linux or Ubuntu) .
7. Access the server via ssh with username
1. Install Google Autheticator package
Login into Ubuntu server and install the google authenticator package.
sudo apt-get update sudo apt-get install libpam-google-authenticator
2. Configure PAM sshd configuration file
We will edit the PAM’s sshd config file. We will take the backup of this file first.
sudo cp -pvf /etc/pam.d/sshd ~/sshd.original.pam.`date +%F`
Now edit the PAM sshd file and configure the Google authenticator module in it.
vi /etc/pam.d/sshd ## Add the below given line in top of /etc/pam.d/sshd file auth required pam_google_authenticator.so
The below given is reference from our server. So it will help you at what position the line should be added.
ubuntu@ip-172-31-62-100:~$ egrep -v '^#|^$' /etc/pam.d/sshd @include common-auth auth required pam_google_authenticator.so account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password ubuntu@ip-172-31-62-100:~$
3. Configure ssh server
Now we are configuring the ssh server and edit the sshd_config file. This is also one of the important steps so that it can work with Google Authenticator module which we have set in PAM.
As always next step, take the backup of sshd_config file.
sudo cp -pv /etc/ssh/sshd_config sshd_config.orig.`date +%F`
Now to make it work with google authenticator, edit the sshd_config file and set the parameters as given in below section –
sudo vi /etc/ssh/sshd_config # edit the below given parmaters ChallengeResponseAuthentication yes PasswordAuthentication yes UsePAM yes
After saving the sshd_config file. Restart the ssh server
sudo service ssh restart
3. Create system user and set password
Now we will create one user and set its password in server. Then we will generate QR code and keys used by this user for login into server .
For giving example, we are creating a user called sharad and setting its password. Replace the username sharad with your desired username in system .
sudo useradd -m -d /home/sharad sharad sudo passwd sharad
5. Generate QR code , secret key and verification code for newly created user
As we have seen in above 4th step, we have created a user called sharad. Now we will generate the QR code and its keys. Generating the QR code and keys is very simple method.
Login to user by using su command in server . (Note: We are still in Server)
sudo su -l sharad
Now we will generate code and keys by using below given command from user’s shell.
google-authenticator
It will generate QR code and keys. We would like to share the screenshot taken from our server. Hope it will help you to understand more easily.
6. Reference for Google Authenticator application in your mobile, Desktop (Linux or Ubuntu)
To generate verification code , we have to install Google Authenticator apps in our Mobile phones or system .
With this Google Authenticator apps verification code will be generated.
We will talk about how to use Google authenticator apps on your system in new upcoming post with more details.
7. Access the server via ssh with username
Now access the server with user which you have created and generated its QR codes and keys.
It will ask for the password which you set in server and verification code which you will generate from Google authenticator apps.
See the below given reference from our system
sharad@linuxworld:~$ ssh sharad@ec2-52-1-130-111.compute-1.amazonaws.com Password: Verification code: Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-44-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sun Mar 1 15:25:29 UTC 2015 System load: 0.0 Processes: 109 Usage of /: 10.2% of 7.74GB Users logged in: 1 Memory usage: 7% IP address for eth0: 172.31.62.251 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud Last login: Sun Mar 1 15:25:29 2015 from 49.205.123.226 $ $ $ Connection to ec2-52-1-130-111.compute-1.amazonaws.com closed. sharad@linuxworld:~$
Bob says
Is there a way to exempt a subnet or known IP address? That way the verification is only active for IP’s other than you normal internal LAN, etc?
Bob
sharad chhetri says
Hello Bob,
You can do this with tcp wrapper that is editing /etc/hosts.allow , allowing ssh for particular IP or subnet
Regards
Sharad