two factor authentication with ssh
June 03, 2017
🔗Two-Factor-Authentication "2FA" with SSH
Install google authenticator and libqrencode:
pkg install pam_google_authenticator
pkg install libqrencode
Edit /etc/pam.d/sshd an add the following line to the auth section:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
#auth required pam_unix.so no_warn try_first_pass
auth required /usr/local/lib/pam_google_authenticator.so
Add this to/etc/ssh/sshd_config:
CallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
This setup will do a "publickey + verification code", without password, in
case you require password edit the /etc/pam.d/sshd and ensure the line
pam_unix.so is uncommented
auth required pam_unix.so no_warn try_first_pass
auth required /usr/local/lib/pam_google_authenticator.so
🔗Enable 2FA per user:
Execute google-authenticator as the user you want to protect with MFA:
su - alice -c google-authenticator
You can answer all questions to Y, the configuration will be saved in this
file ~/.google-authenticator
The content of the file looks like this:
> cat .google_authenticator
VLS3WGLC4YTVFSSK
" TIME_SKEW 0
" RESETTING_TIME_SKEW
" RATE_LIMIT 3 30 1496497256
" WINDOW_SIZE 17
" DISALLOW_REUSE 49883227
" TOTP_AUTH
12268625
67512245
75096563
52505947
42447122
If for some reason the user can't scan the qrcode due the font issues, use the code instead, in this example:
VLS3WGLC4YTVFSSK