Friday, March 22, 2013

Using Google Authenticator and Android for a two step verification access for SSH

Today I tried Google Authenticator, a really good security measure to protect your email - or a nightmare if you loose the phone and the emergency codes :)

I applied it to my SSH access... works like a charm. Thank you again Google !

First, you need to install the following packages - at least in Debian, other distros might change package names:

sudo apt-get install libpam-google-authenticator

 or you might want to build it yourself if the package is not available in your distro:

 $ sudo apt-get install git libpam0g-dev make gcc

After that we download the code using git:

$ git clone https://code.google.com/p/google-authenticator/
Cloning into 'google-authenticator'...
remote: Counting objects: 1048, done.
remote: Finding sources: 100% (1048/1048), done.
remote: Total 1048 (delta 504)
Receiving objects: 100% (1048/1048), 2.27 MiB | 575 KiB/s, done.
Resolving deltas: 100% (504/504), done.


Now let's build it:

$ make                                                                                                                          
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c                                                           
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl

 $ sudo make install
[sudo] password for amartin: 
cp pam_google_authenticator.so /lib/x86_64-linux-gnu/security
cp google-authenticator /usr/local/bin

Now, as the user we want to enable the two steps auth for, we will execute the command google-authenticator. Pretty much we will answer YES to everything. 

Be aware that all users in the system will need to have google-authenticator code, otherwise they won't be allowed to ssh the system with the current pam configuration.

$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/amartin@Zealot%3Fsecret%XXXXXXXXXXXX


(this will be shown on the console)


Your new secret key is: XXXXXXXXXXXX
Your verification code is 111111
Your emergency scratch codes are:
  666666
  222222
  [...]

Do you want me to update your "/amartin/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y


Now, install Google authenticator and Barcode Scanner on your mobile. Once you start the app, you need to set up a new account and use Bar Code Scanner to set it up.


After setting up the account, you will see a similar screen every time you open the Google Authenticator:


Now, we need to enable the module for SSH:

$ sudo vi /etc/pam.d/sshd

We add the lines:

# Google authenticator
auth required pam_google_authenticator.so

Also, we indicate SSH to use a Challenge Response:

# sudo vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes


$ sudo service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.


Now, if we try to login from another device:

$ ssh 10.10.17.153
Verification code: (we enter the token we have in the mobile app)
Password: (usual password)
Linux Zealot 2.6.39-2-amd64 #1 SMP Wed Jun 8 11:01:04 UTC 2011 x86_64

Last login: Thu Mar 21 13:59:16 2013 from XXXXX.local

amartin@Zealot:~$


Done! 

Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)