Add two-factor authentication to your ssh in 30 seconds

[+] cs702|13 years ago|reply

Using a third-party service like authy.com has its advantages, but if you prefer, you can get two-factor authentication in the latest Ubuntu without involving a third party by installing libpam-google-authenticator from Ubuntu's "universe" repository.

Here's how you do it: first, sudo apt-get install libpam-google-authenticator; second, run google-authenticator as the user you will access remotely and follow the instructions; then, edit /etc/pam.d/sshd, and add "auth required pam_google_authenticator.so" in a new line; edit /etc/ssh/sshd_config and add (or change) the ChallengeResponseAuthentication line so it reads "ChallengeResponseAuthentication yes"; and finally, sudo service ssh restart to restart the ssh server.

More info is available from the packager of libpam-google-authenticator[1], and from the Google Authenticator PAM module's README.[2]

--

[1] http://blog.theroux.ca/security/ubuntu-2-step-authentication...

[2] http://code.google.com/p/google-authenticator/source/browse/...

--

Edits: Corrected typos; added more context.

[+] danielpal|13 years ago|reply

The biggest problems is you can't use ssh_keys with this setup. Its too restrictive, and certificates are a must for ssh.

Also what happens if you loose your cellphone? We thought about this and for us the possibility of loosing access to the server fully was too much.

[+] draebek|13 years ago|reply

Thanks for the instructions, I like the fact that Google Authenticator doesn't need to contact their servers (or at least that's how I understand it). Sounds like you could preserve the use of SSH public key authentication by using Google Authenticator in combination with a ForceCommand; I'll have to look in to that.

Anyone set up Google Authenticator to only challenge me on a host every N minutes or something like that? I.e., first login requires two-factor auth, subsequent logins don't for at least 30 minutes? Seems like it'd be irritating to keep popping my phone out every time I connect to a remote server.

[+] ersii|13 years ago|reply

Google Authenticator is pretty much a third-party service as well.

Unless I'm mistaken in how Google Authentiator works - of course. If so, please fill in my blank :-)

[+] jlgreco|13 years ago|reply

Interestingly it appears this Authy method does not use PAM. I wonder if there is a reason for that, since a PAM module would be a good deal more flexible (this sort of thing is what PAM is for after all).

[+] pejoculant|13 years ago|reply

Pretty cool. Google authenticator is another alternative that be used via a pam module, with the additional benefit that it doesn't need to connect to something else for verification.

https://code.google.com/p/google-authenticator/

[+] mryan|13 years ago|reply

Seconding the recommendation for PAM/Google Authenticator.

Off-topic: Has anyone ever managed to get PAM/Google Authenticator working with RADIUS? I spent a while messing about with this last year, and never got it working exactly as I had hoped. I'm no longer working with RADIUS, but this post reminded me I never finished scratching that geeky itch.

[+] dlokshin|13 years ago|reply

I've been using Duo Security for two factor auth and have been very happy with it (also easy to set up). Free for all open source projects.

[+] dcu|13 years ago|reply

the problem is that google authenticator stores the seed in the phone(and the server) so if you lose it basically you lose the server too, right?

[+] subway|13 years ago|reply

You should really package this up, and provide a signed repo instead of relying on the busted SSL infrastructure and GitHub to provide security to your users.

While this one isn't quite as offensive as some, all these curl/sudo/bash combos really make me sad, particularly when used to "increase" security.

[+] danielpal|13 years ago|reply

You are right. Best for your infrastructure is to fork it and modify it. We for example have a different version we use for chef and that already include everyone's keys.

[+] peterwwillis|13 years ago|reply

SMS is not secure. It can be faked. It goes through multiple networks. It's not encrypted. And if you use a GSM phone, this could be owned two years ago at DEF CON: http://www.pcmag.com/article2/0,2817,2367247,00.asp Not to mention the provider-specific attacks, cloning, etc.

If you start pushing insecure technologies like this, people will just get really comfortable with them and eventually get taken advantage of.

[+] danielweber|13 years ago|reply

Don't let the perfect be the enemy of the good.

[+] dcu|13 years ago|reply

You are not forced to use SMS, you can always use the smartphones apps.

[+] adambyrtek|13 years ago|reply

That's why it's used as a second factor, not the only one.

[+] tylermenezes|13 years ago|reply

> It can be faked. Not in the way that matters in this case - it's prohibitively difficult to receive someone else's text messages.

[+] cmsj|13 years ago|reply

In the video I see a private key coming from a Dropbox folder :(

Missing. The. Point.

[+] jimktrains2|13 years ago|reply

I didn't watch the video, but if the key is encrypted (password protected) like it should be, what's the problem?

[+] mbq|13 years ago|reply

One more option is Barada PAM module+Android app. http://barada.sourceforge.net/ It is basically a HOTP implementation, where the token is protected by PIN (with PIN being a missing part of the shared secret stored on the token) and the original password is reserved only to be used on trusted machines (or) in case of losing token.

[+] a3_nm|13 years ago|reply

Does this mean that you ping them whenever you ssh? Does this mean that if their service is down you won't be able to ssh anymore?

[+] piotrSikora|13 years ago|reply

From https://github.com/authy/authy-ssh/blob/master/authy-ssh#L11...:

    Default action when api.authy.com cannot be contacted:
    
      1. Disable two factor authentication until api.authy.com is back
      2. Don't allow logins until api.authy.com is back

[+] uptown|13 years ago|reply

The video shows two options for this situation. Either allow access despite the outage, or deny access due to the outage.

[+] dsl|13 years ago|reply

If you are looking for a clean reliable two-factor auth system, I highly recommend Duo: http://www.duosecurity.com/

I've been using them across a half dozen personal machines for quite a while now, looking to roll it out at work as well.

[+] davidblondeau|13 years ago|reply

Right, Duo is great. Love the fact you can install it over the whole enterprise including applications, blogs (Wordpress), vpns, and ssh.

[+] stcredzero|13 years ago|reply

Has anyone added this to other than a server? Seems like this could be added to a notebook or desktop running OS X. (And for that, I would actually prefer Google Authenticator.)

Also, it occurs to me: With TFA, it finally makes sense to periodically change passwords.

[+] aclimatt|13 years ago|reply

Seriously? Another (virtual) token-based 2FA solution? What is your competitive advantage against Duo, Authentify, Entrust, and the thousand other SMS or virtual token 2FA solutions out there?

[+] danielpal|13 years ago|reply

We make it really easy for anyone to use 2FA. The reason 2FA is not popular is not because there aren't enough solutions out there, it's because all of them are basically really hard to use. Specially those that claim to be easy, they are the opposite.

[+] unknown|13 years ago|reply

[deleted]

[+] tylermenezes|13 years ago|reply

Been using this for around a month and it's great. Highly recommended.

[+] gizzlon|13 years ago|reply

Hm, can somebody explain what threat two-factor ssh-login is a response to?

If somebody went through the trouble of owning your machine, can't they bypass the two-factor as well? Yes, it requires a more "live" and target attack, but one would think ssh attacks like these are pretty targeted in the first place. Or? What am I missing?

[+] darklajid|13 years ago|reply

Maybe I'm missing some assumptions of yours, but for me the reason to do that is to .. protect the ssh login.

Who talks about a machine that is owned? This is about an additional requirement to log on to a service, be it ssh or email. Whether you're reusing your password, sharing it or just use a really bad one this adds an additional step to impersonate you.

[+] eslachance|13 years ago|reply

This is great but one thing bugs me. When you add a new user, you have to restart SSH? Wouldn't that prevent people from connecting every time a new user is added?

[+] dcu|13 years ago|reply

Even if you restart the ssh server it won't prevent people from connecting to the server because SSH forks the clients.

[+] danielpal|13 years ago|reply

No, when you add a new user you don't need to restart. Only restart the server when you install the plugin.

[+] peacetara|13 years ago|reply

What about two-factor authentication for sudo? I'd rather start my users off with sudo 2 factor auth, and grow them into two-factor auth for ssh and other stuff.

[+] bbromhead|13 years ago|reply

Fairly certain port forwarding still works while a command specified in ForceCommand is still running or if you specify a non-interactive shell.

Though I haven't checked ;)

[+] darklajid|13 years ago|reply

I added support for yubikey to my installation. That thing's always on my keychain and can be used as second factor or otp generator (or both).

[+] amirmansour|13 years ago|reply

This is awesome. I wish the people at Authy the best. Now I'm gonna 2-factor auth the hell out of everything.

106 comments