Two factor user authentication with Google Authenticator
Google just made its Google Authenticator widely available, so it’s a good way to make your Webby extra secure with two factor authentication.
In case you’re not familiar with the term, this form of authentication requires something you have (in this case your mobile phone) and something you know (your password).
You’ll need either an iPhone, an Android enabled device or a Blackberry.
Before starting, go download and install the Google Authenticator to your phone.
Installing Google Authenticator on Ubuntu 10.04
First you need to install three prerequisites: gcc, mercurial and libpam0g-dev (make sure you either execute this steps as
root or use
$ apt-get update $ apt-get -yy install gcc mercurial libpam0g-dev
Now let’s clone the repo and install it:
$ cd ~ $ hg clone https://google-authenticator.googlecode.com/hg/ \ google-authenticator $ cd google-authenticator/libpam $ make install
You should see something like this:
... some gcc compilation output ... cp pam_google_authenticator.so /lib/security cp google-authenticator /usr/local/bin sudo chmod 755 /lib/security/pam_google_authenticator.so \ /usr/local/bin/google-authenticator
Configuring Google Authenticator
/etc/ssh/sshd_config and change the
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no
It should now be:
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Now, change the PAM configuration to include the Google Authenticator module. Edit
/etc/pam.d/common-auth and insert a new line between the comment and the first auth line:
# here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds
Leaving it this way:
# here are the per-package modules (the "Primary" block) auth required pam_google_authenticator.so auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds
Create a configuration for the current shell user:
$ google-authenticator https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@ some#some%3Fsecret%3DPKRTA4H5GLN7OTLA Your new secret key is: PKRTA4H5GLN7OTLA Your verification code is 613177 Your emergency scratch codes are: 80419043 52322813 46557473 35541313 66835603 Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it in creases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Now, copy and paste the generated URL to your browser and a QRCode will be generated:
Open the Google Authenticator app on your phone, choose Scan Barcode and point the camera to your browser. A new key should be added automatically to your list. This code will change every 30 seconds. Please note that if you don’t have a barcode scanner you will be prompted to install one.
If you’re still unsure how to use your phone’s app, please check these step by step instructions on Google Accounts help.
Also, save the scratch codes, they can be used when you don’t have your phone available.
You can repeat these steps for each user you want to add two factor authentication for.
Now save and exit your editor and restart the ssh daemon. IMPORTANT: do not close this ssh session after restarting the ssh service.
$ /etc/init.d/ssh restart * Restarting OpenBSD Secure Shell server sshd [ OK ]
Now open another ssh session and try to log in. You should now be prompted for the Verification code and your Password. Enter the code as it appears on your phone, and your usual password for the user:
$ ssh email@example.com Verification code: Password: Linux ahost 2.6.32-24-generic-pae #39-Ubuntu SMP Wed Jul 28 07:39:26 UTC 2010 i686 Ubuntu 10.04.1 LTS Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ System information as of Sat Feb 19 01:06:03 EST 2011 System load: 0.0 Processes: 105 Usage of /: 30.6% of 4.85GB Users logged in: 1 Memory usage: 44% IP address for eth0: 188.8.131.52 Swap usage: 3% Graph this data and manage this system at https://landscape.canonical.com/ root@ahost:~#
If by any chance the authentication failed after a couple of tries, it’s recommended that you undo the changes you’ve made to
/etc/ssh/sshd_config and to
/etc/pam.d/common-auth, and restart the ssh daemon one more time. The authentication method should revert to password-only (or publickey, depending on what you had before).
- Installing and Configuring ufw for securing your Webby;
- Google Authenticator page on Google Code;
- Turning on 2-step verification: Installing Google Authenticator on Google Accounts help;