Using only a username and password for authentication is no longer secure. With user-database dumps reaching millions of exposed, albeit hashed and salted, passwords. Secure authentication should include not only something you know, but also something you have (in your pocket… always).
There have been several OTP and general 2FA solutions for Linux. From SMS (Text-me-a-password) to Yubikeys. There exists a Free (so far) TOTP (Time-Based One Time Password) solution from Google, called Google Authenticator.
It uses an App called Authenticator for iOS (and Android i presume) to “show” you the tokens, who live for 30 seconds each. There exists an even more awesome package for Debian and Ubuntu called google-authenticator, which allows you to easily set it up! The package also includes the necessary PAM module.
I have made the following steps on a Raspberry Pi, running Raspian.
- Install Google Authenticator
pi@awesomebox ~ $ sudo apt-get install libpam-google-authenticator
- Run Google Authenticator
pi@awesomebox ~ $ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
...BIG
......FANCY
.........QR-CODE
Your new secret key is: ZZZZZZZZZZZZZZZZ
Your verification code is 123456
Your emergency scratch codes are:
11111111
22222222
33333333
44444444
55555555 - Scan the QR-CODE on screen with the Authenticator App
Scanning...
- Answer yes (y)
Do you want me to update your "/home/pi/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. Do you want to do so (y/n) y
Do you want to enable rate-limiting (y/n) y - Add PAM module
pi@awesomebox ~ $ sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
- Enable “Challenge-Response Authentication” in SSH
pi@awesomebox ~ $ sudo vi /etc/ssh/sshd_config
Change entry ChallengeResponseAuthentication from no to yes. - Restard SSH
pi@awesomebox ~ $ service ssh restart
- Test it out
Open up a new terminal window and ssh to your box as you normally would
user@lazybox ~ $ ssh pi@awesomebox
Password: [Enter password]
Verification code: [Enter TOTP-token from App]
Happy TOTP-ing 🙂