How can I use a passcode generator for authentication for remote logins?
Jorge Castro
I would like to strengthen the authentication of my SSH logins by adding another factor: a passcode generator device, or a passcode generation application on my mobile phone. The only obvious options in the default setup are a fixed password and key pair. How can I do this?
(If I use a password plus a passcode generator, this provides two-factor authentication (2FA): the password is “what I know”, and the passcode is “what I have”.)
Jorge Castro
One way to do this is with a tool provided by Google called Google Authenticator.
Install libpam-google-authenticator
- or just
sudo apt-get install libpam-google-authenticator
- or just
Edit
/etc/pam.d/sshdto include the module:sudoedit /etc/pam.d/sshdand then include this line at the top of the file and save:
auth required pam_google_authenticator.so
Edit your SSH config file to turn on the challenge:
sudoedit /etc/ssh/sshd_configand then change the response authentication from:ChallengeResponseAuthentication noto
ChallengeResponseAuthentication yesand then save the file.
sudo restart sshto restart SSHRun
google-authenticator- This will give you your secret key, verification code, and emergency scratch codes. It will also ask you some rate limiting questions.
Mobile Applications:
You'll need one of these to receive the authentication code on another device.
Related and Useful:
- Most of this answer is derived from this blogpost by Jean-Francois Theroux but updated.
- Google Authenticator Wiki
- http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html
- http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html
- It is my understanding that if you're using passwordless logins via SSH keys that you can only do one or the other, see this question: How can I set up password-less SSH login?
- And if you're using Puppet, there's a puppet module here: https://github.com/camptocamp/puppet-googleauthenticator
- See Maarten's answer and link to github issue on why you need to add the .so line at the top of your pam config: https://askubuntu.com/a/668398
Note that combining a password with single-use passcodes is two-factor authentication: it combines “what you know” (a password) with “what you have” (the passcode generator device). On the other hand, if you combine single-use passcodes with an SSH key pair, it's all about “what you have”. When two authentication factors are of the same type, you do not have two-factor authentication; this is sometimes called “one-and-a-half-factor authentication”.
Collected from the Internet
Please contact [email protected] to delete if infringement.
edited at
- Prev: Error copying folder using scp
- Next: How do I bypass the license page to download Oracle/Sun Java on a server with wget?
Related
Related Related
- 1
App Generator: How can I declare a variable for use in the entire generator?
- 2
How can I track successful logins and disconnects?
- 3
How can I disable ssh logins for accounts?
- 4
How can I force use generator on Coffeescript 1.9?
- 5
How can I force use generator on Coffeescript 1.9?
- 6
Can I list logins on Conky?
- 7
How can I use the email instead of the username in LDAP authentication with PHP?
- 8
How can I use Windows authentication in lieu of storing / passing a password?
- 9
How can I configure SpringBoot with Thymeleaf and use sec:authentication tag
- 10
How can I use OAuth 2.0 Authentication in an Azure Logic App?
- 11
How can I use ldap authentication with full disk encryption?
- 12
How can I use CUPS' basic authentication from a windows client?
- 13
How can I configure SpringBoot with Thymeleaf and use sec:authentication tag
- 14
How can I use the email instead of the username in LDAP authentication with PHP?
- 15
How can I use Windows authentication in lieu of storing / passing a password?
- 16
How can I use postgres roles and passwords for website authentication
- 17
How can I use cURL's '@' syntax with a remote URL?
- 18
How can I use PowerShell to make remote registry changes?
- 19
Under remote (ssh) .. How do I remove all remotes and root logins
- 20
Can I check whether the user has set a passcode?
- 21
Can I add a required passcode to my HTML form?
- 22
How do I use await inside a generator?
- 23
How can I use CURAND_RNG_QUASI_SOBOL32 generator using device API? CUDA
- 24
How can I convert this async callback to a generator?
- 25
How can I write a generator in a JavaScript class?
- 26
How can I extend the JOOQ code generator?
- 27
How can I write a code generator in Ceylon
- 28
How can I get the following generator to work?
- 29
Can I use GitLab with external/remote repository?
Comments