I’m a pretty big fan of two factor authentication, it lets you secure a server significantly without inconveniencing your users too much. I’ve used ppp-pam before, and use RSA SecurID for a few things as well, they’re great implementations. Today it came to my attention that Google had made an authenticator for Google apps account, but also made a PAM module. It works fairly close to RSA SecurID – you put in your password, after that works you give it the code that the app on your phone displays, it changes every 30 seconds or so based on it’s algorithm.

This article is going to cover how to set it up on your own Linux server. I’ll be doing this on a Debian 6 install, you may need to alter commands, so go ahead and read on after the jump for the how to.

First off, we need to install the tools to install everything. On Debian this is easily achieved with

 # aptitude install build-essential 

You’ll also need mercurial to check out the code, and some libraries.

 # aptitude install mercurial libpam-dev 

Additionally if you want to automate setting up your phone’s app you’ll want to install the qrencode library –

 # aptitude install libqrencode-dev 

Now we have all the libraries installed, we need to download the source –

 # hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator 

Then after it checks it out, move to the google-authenticator/libpam directory and issue

 # make install 

This will setup the module, and an application to generate your code. Let’s start with that:

# google-authenticator

This will first off display a qr code if you have libqrencode installed, alternately you can copy the URL to a browser and display the QR code. Alternately you can manually enter the information, regardless you need to open your phone’s app and get it added – the easiest method would be to use the QR code by selecting the add button, then “scan barcode”. Use your camera to focus the QR code and it will set up the account for you. Otherwise you need to set it manually using the provided information. You will need to do this for each account on the system.

After your phone is set up, look back at your terminal and answer the questions it asks. Most of them are concerning rate limiting and other security features. Once done, you need to edit two files. The first is to tell pam to use the module:

 # vim /etc/pam.d/common-auth 

In this file add the following line:

 auth    required                        pam_google_authenticator.so 

This tells PAM that it is a required module in order to authenticate. If you plan on using this for SSH (which you probably are), you’ll also need to allow SSH to send challenge requests:

 # vim /etc/ssh/sshd_config 

Fine the Challenge Response Authentication line and set it to yes:

 ChallengeResponseAuthentication yes 

Once this is done, restart SSH and open a NEW shell to test your change:

# ssh root@10.1.1.20
Password: 
Verification code: 
Linux Sharaa 2.6.32-5-xen-amd64 #1 SMP Thu May 19 01:16:47 UTC 2011 x86_64

Hopefully it all works and you’ll be able to enjoy your two factor authentication.

« »