I would like to strengthen the authentication of my SSH logins by adding another factor: a passcode generator device, or a passcode generation application on my mobile phone. The only obvious options in the default setup are a fixed password and key pair. How can I do this?
(If I use a password plus a passcode generator, this provides two-factor authentication (2FA): the password is “what I know”, and the passcode is “what I have”.)
One way to do this is with a tool provided by Google called Google Authenticator.
Install libpam-google-authenticator
sudo apt-get install libpam-google-authenticator
Edit /etc/pam.d/sshd
to include the module:
sudoedit /etc/pam.d/sshd
and then include this line at the top of the file and save:
auth required pam_google_authenticator.so
Edit your SSH config file to turn on the challenge:
sudoedit /etc/ssh/sshd_config
and then change the response authentication from:
ChallengeResponseAuthentication no
to
ChallengeResponseAuthentication yes
and then save the file.
sudo restart ssh
to restart SSH
Run google-authenticator
You'll need one of these to receive the authentication code on another device.
Note that combining a password with single-use passcodes is two-factor authentication: it combines “what you know” (a password) with “what you have” (the passcode generator device). On the other hand, if you combine single-use passcodes with an SSH key pair, it's all about “what you have”. When two authentication factors are of the same type, you do not have two-factor authentication; this is sometimes called “one-and-a-half-factor authentication”.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments