I’m a pretty big fan of two factor authentication, it lets you secure a server significantly without inconveniencing your users too much. I’ve used ppp-pam before, and use RSA SecurID for a few things as well, they’re great implementations. Today it came to my attention that Google had made an authenticator for Google apps account, but also made a PAM module. It works fairly close to RSA SecurID – you put in your password, after that works you give it the code that the app on your phone displays, it changes every 30 seconds or so based on it’s algorithm.
This article is going to cover how to set it up on your own Linux server. I’ll be doing this on a Debian 6 install, you may need to alter commands, so go ahead and read on after the jump for the how to.
First off, we need to install the tools to install everything. On Debian this is easily achieved with
# aptitude install build-essential
You’ll also need mercurial to check out the code, and some libraries.
# aptitude install mercurial libpam-dev
Additionally if you want to automate setting up your phone’s app you’ll want to install the qrencode library –
# aptitude install libqrencode-dev
Now we have all the libraries installed, we need to download the source –
# hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator
Then after it checks it out, move to the google-authenticator/libpam directory and issue
# make install
This will setup the module, and an application to generate your code. Let’s start with that:
# google-authenticator
This will first off display a qr code if you have libqrencode installed, alternately you can copy the URL to a browser and display the QR code. Alternately you can manually enter the information, regardless you need to open your phone’s app and get it added – the easiest method would be to use the QR code by selecting the add button, then “scan barcode”. Use your camera to focus the QR code and it will set up the account for you. Otherwise you need to set it manually using the provided information. You will need to do this for each account on the system.
After your phone is set up, look back at your terminal and answer the questions it asks. Most of them are concerning rate limiting and other security features. Once done, you need to edit two files. The first is to tell pam to use the module:
# vim /etc/pam.d/common-auth
In this file add the following line:
auth required pam_google_authenticator.so
This tells PAM that it is a required module in order to authenticate. If you plan on using this for SSH (which you probably are), you’ll also need to allow SSH to send challenge requests:
# vim /etc/ssh/sshd_config
Fine the Challenge Response Authentication line and set it to yes:
ChallengeResponseAuthentication yes
Once this is done, restart SSH and open a NEW shell to test your change:
# ssh root@10.1.1.20 Password: Verification code: Linux Sharaa 2.6.32-5-xen-amd64 #1 SMP Thu May 19 01:16:47 UTC 2011 x86_64
Hopefully it all works and you’ll be able to enjoy your two factor authentication.
« Using your own OS on Cloud Servers Load balancing with SSL termination »
My computer: 192.168.1.123
OS: openSUSE 11.4
Step by stop it work fine.
But I don’t khow “Use your camera to focus the QR code and it will set up the account for you. Otherwise you need to set it manually using the provided information. You will need to do this for each account on the system”
I use Barcode Scanner on Android mobile. But can’t see set up the account
After scan finished is show
otpauth://totp/root@bcit123%3Fsecret%3DP4XQ55JFZHQGH522
Format QR_CODE
Type URI
TIme …
Metdate M
“Open browser” button and then click.
Error: Sorry the requested application could not be launched.
Note: Connected Wi-Fi
How to set up the account?
My problem – Verification code is wrong
linuxter1:~ # ssh 192.168.1.123
Password:
Verification code:
Password:
Verification code:
Password:
Verification code:
Permission denied (publickey,keyboard-interactive).
Thank you,
Did you install the Google Authenticator app?
http://www.google.com/support/accounts/bin/answer.py?answer=1066447
If that doesn’t work, then put in user@hostname as the account name, and manually type in the secret that the setup provided.
Working fine. Thank you Ryuujinx,
I will translate your article to Thai language. (Step by step for SUSE Linux)
Awesome post, worked perfectly. Thank you!
Just a heads up for anybody that stumbles across this, you can’t use public keys and the authenticator. I switched back to passwords and it worked just fine.
On debian 6.0.5 I must install libpam0g-dev