Two-factor SSH to Ubuntu 11.04 with Google Authenticator
Read on for instructions setting up two-factor auth for SSH logins under Ubuntu. I used 11.04 Natty Narwhal; other releases may require small tweaks.
My employer is piloting the use of Duo Mobile for our VPN logins. (Aside: on iOS the app supports push notifications, so two-factor means pressing a green button on my phone at login time. Nice!) The latest update included "3rd-party TOTP passcode support." Searching around, I found hotp-php, and, more to the point of this post, the google-authenticator project on Google Code. The project includes a libpam module for secondary token authentication in supported services, including the OpenSSH server.
If you're using public key authentication, you won't be prompted for your two-factor auth token. Even so, this gives you peace of mind when enabling password authentication, if you ever have to login on a machine that doesn't have your key.
libqrencode3 so you don't have to manually type the
~$ sudo apt-get install libqrencode3
Next, download and install the [
google-authenticator PAM module]:
git clone https://code.google.com/p/google-authenticator/ cd google-authenticator/libpam/ make sudo make install
Run the binary to enable two-factor auth for your user account:
Follow the prompts to customize your desired token lifetime window, whether or not tokens can be reused, and other settings. You'll get a sweet-as-hell ASCII art QR code which you can feed to your TOTP app's "Scan Barcode" feature. Go ahead and scan using Duo Mobile, Google Authenticator, or another TOTP app.
Now add the Google authenticator to your PAM settings file for sshd:
~$ sudo vim /etc/pam.d/sshd
Add the following line:
auth required pam_google_authenticator.so
You may also need to enable challenge/response authentication in sshd:
$ sudo vim /etc/ssh/sshd_config
Make sure you have this directive:
And restart sshd:
sudo service ssh restart
Key-based authentication will override token-based. If you usually use
tokens, temporarily disable them in
sshd_config before testing token
You should be prompted for the token before being prompted for a password. Cheers! Your remote logins are now protected by two-factor auth.