Two-step verification (also known every bit Two-factor authentication, abbreviated to TFA) is a procedure involving 2 stages to verify the identity of an entity trying to access services inwards a figurer or inwards a network. This is a particular illustration of a multi-factor authentication which mightiness involve entirely 1 of the iii authentication factors (a cognition factor, a possession factor, too an inheritance factor) for both steps. If each pace involves a dissimilar authentication constituent too thence the two-step verification is additionally two-factor authentication.
Google’s two-step verification process
Google was 1 of the starting fourth dimension Internet companies to innovate a two-step verification process. To access a Google service using the two-step verification process, a user has to larn through the next 2 stages:
The starting fourth dimension pace is to log inwards using the username too password. This is an application of the cognition factor.
The implementation of the minute pace requires a cellphone or the Google Authenticator application, which is an application of the possession factor.
If the user opts to run a mobile phone, he/she has to register his/her telephone number amongst Google. When 1 attempts to authenticate amongst username too password, Google volition shipping via SMS a new, unique code to the phone. Receiving the SMS demonstrates that the user has the telephone (or, inwards the illustration of GSM similar networks the appropriate SIM chip).
If the user opts to run the Google Authenticator (or unopen to other supported code generator application), he/she only opens the application, which generates a novel code every xxx seconds. This code is to live entered to consummate the log inwards process. As a backup alternative inwards illustration the registered cellphone or device running Google Authenticator is lost, stolen, or otherwise unavailable, the user tin impress a ready of static single-use backup codes (also the cognition factor) too shop them inwards a prophylactic place.
The next are unopen to other sites which offering two-step verification service:
- Amazon Web Services
- ANX
- App.net
- Apple ID
- Authy
- Battle.net
- Bitstamp
- Blockchain.info
- Box
- Dropbox
- eBay
- Etrade
- Evernote
- GitHub
- GoDaddy
- HootSuite
- Lastpass
- LocalBitcoins
- Microsoft
- MongoLab
- Namecheap
- PayPal
- SocialFlow
- timetotrade
- Tumblr
- Viaduct
- WordPress
- Yahoo! Mail
- innoview.gr
- zoho
Google Authenticator
Google Authenticator implements TOTP safety tokens from RFC6238 inwards mobile apps made past times Google, sometimes branded “two-step authentication”. The Authenticator provides a half dozen digit one-time password users must render inwards improver to their username too password to log into Google services or other sites. The Authenticator tin also generate codes for 3rd political party applications, such every bit password managers or file hosting services. Some versions of the software are opened upwards source.
[Source: WikiPedia]
Note: Google Authenticator doesn’t “call home” to Google — all the piece of job happens on your SSH server too your phone. Google Authenticator is a open-source software, that agency you lot tin cheque the codes yourself. I approximate afterward what happened amongst openSSL, that’s non a bad thought afterward all.
In this article I volition demonstrate how to secure SSH past times setting upwards Two Factor Authentication (TFA) amongst Google Authenticator for the next Linux operating systems:
- Debian
- Ubuntu
- Linux Mint
- Kali Linux
- Red Hat
- CentOS
- Fedora
Google Authenticator tin live used inwards the next smartphones:
- Android,
- iOS and
- Blackberry.
I am non likewise certain if you lot tin run this on a Windows Based telephone (i.e. novel Nokia phones or Windows Mobiles devices). Feel costless to seek too written report back.
App Download Links every bit follows:
- Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
- iOS: https://itunes.apple.com/au/app/google-authenticator/id388497605?mt=8
- Blackberry: http://www.google.com/mobile/other
More detailed per device install instructions tin live flora on this page: https://support.google.com/accounts/answer/1066447?hl=en
The implementation is precisely same except for unopen to parcel refer differences. So you lot tin implement this inwards whatever Linux Operating System that uses these packages.
Requirements
Followings are the requirements for using Google Authenticator on your system:
- A PC running Linux
- A smartphone
- A running SSH server on your machine.
In illustration you lot don’t receive got SSH server running, just follow this guide to install openSSH server.
Step 1: Install dependencies for Google Authenticator Module
You demand to receive got either source or sudo privileges on the car where you lot desire to secure SSH past times enabling Two Factor Authention using Google Authenticator. Login to your car too run the next commands to install required dependency packages:
On Debian, Kali, Ubuntu, Linux Mint (they all are Debian based organization that uses aptitude every bit parcel manager i.e. apt-get/aptitude)
apt-get install libpam0g-dev
On Red Hat, CentOS too Fedora (they all are RedHat based where you lot run yum every bit the parcel manager):
yum install pam-devel
That’s it. That should install the necessary dependencies on your system. In illustration you lot receive got a really restricted organization where you lot dont receive got GCC, construct too wget, you lot tin install them using the next command(s):
yum install construct gcc wget
(or)
apt-get install construct gcc wget
Step 2: Download Google Authenticator Module
Google Authenticator is available on GoogleCode website.
Link: https://code.google.com/p/google-authenticator/
You tin just re-create glue the codes below to download too extract Google Authenticator codes. I personally run Kali Linux, that agency I am ever logged inwards every bit source user, if you’re using whatever of the other Linux distributions similar Debian, Ubuntu, Linux Mint, Red Hat, CentOS or Fedora where you lot don’t normally login every bit source user, too thence you lot should select your ain directory to download too extract these codes.
To download Source code of the Google Authenticator PAM library module run the next command:
root@kali: # wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
At the fourth dimension of writing this article, v1.0 was available.
Now extract your tarball:
root@kali: # tar -xvf libpam-google-authenticator-1.0-source.tar.bz2
Change directory to the extracted folder:
root@kali: # cd libpam-google-authenticator-1.0/
Step 3: Compile too Install Google Authenticator PAM module
So far we’ve installed dependencies, downloaded too extracted Google Authenticator PAM module. Now nosotros demand to compile the codes too install compiled software on our system.
use the next ascendency to compile your downloaded source codes:
root@kali: /libpam-google-authenticator-1.0# make
Now install Google Authenticator PAM module on your system:
root@kali: /libpam-google-authenticator-1.0# construct install
Step 4: Run too configure Google Authenticator
Just run Google Authenticator PAM module from ascendency draw of piece of job to configure it for your system:
Run Google Authenticator PAM module using the next command:
root@kali: /libpam-google-authenticator-1.0# google-authenticator
It should introduce you lot amongst bunch of query where you lot larn to select Y or northward . Let’s receive got a quick hold off at those questions too the outputs.
Do you lot desire authentication tokens to live time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@kali%3Fsecret%3DWKHM6UVJNTPYSPTQ
Your novel surreptitious commutation is: WKHM6UVJNTPYSPTQ
Your verification code is 434260
Your emergency scratch codes are:
30287010
70585905
68748337
15176712
38041521
So on your starting fourth dimension question, you lot larn a surreptitious key, Your novel surreptitious commutation is: WKHM6UVJNTPYSPTQ too five emergency scratch codes. You run the emergency commutation on your mobile thence that you lot tin larn the right verification code side past times side fourth dimension you lot login. Emergency codes are used when you’ve lost your mobile.
Next it asks you lot if you lot desire to run this for your source account? Me beingness source users, I’ve chosen Yes.
Do you lot desire me to update your "/root/.google_authenticator" file (y/n) y
Next up, it asks you lot if you lot desire to disallow multiple uses of the same verification code. Unless you lot receive got a expert argue non to, select Yes.
Do you lot desire to disallow multiple uses of the same authentication
token? This restricts you lot to 1 login close every 30s, but it increases
your chances to notice or fifty-fifty foreclose man-in-the-middle attacks (y/n) y
Next business office is fourth dimension based login. From the indicate of getting the code on your mobile to typing inwards to your login prompt, xxx seconds should live to a greater extent than than enough. If you’r fourth dimension sync is bad on your organization or you’ve giving the code to someone over telephone or you lot are a VERY ho-hum keyboard warrior, I run across no argue to alter it. Select Yes here.
By default, tokens are expert for xxx seconds too inwards venture to compensate for
possible time-skew betwixt the customer too the server, nosotros let an extra
token earlier too afterward the electrical current time. If you lot sense problems amongst poor
time synchronization, you lot tin increment the window from its default
size of 1:30min to close 4min. Do you lot desire to practise thence (y/n) y
Last up, well, of course of study nosotros desire to enable rate-limiting, past times enabling this, you lot ensure that entirely 3 login attempts every 30s tin live made.
If the figurer that you lot are logging into isn't hardened against brute-force
login attempts, you lot tin enable rate-limiting for the authentication module.
By default, this limits attackers to no to a greater extent than than 3 login attempts every 30s.
Do you lot desire to enable rate-limiting (y/n) y
This finishes your initial setup for Google Authenticator PAM module. Now nosotros demand to configure PAM too SSH to genuinely run this technique. This is genuinely awesome.
Note: Leave this lastly window opened upwards (DO NOT CLOSE). We demand the codes for side past times side steps.
Step 5: Configure SSH to run Google Authenticator PAM Module
Open your PAM configuration file /etc/pam.d/sshd
root@kali: # vi /etc/pam.d/sshd
and add together the next line:
auth required pam_google_authenticator.so
Next up, opened upwards your SSH configuration file /etc/ssh/sshd_config
root@kali: # vi /etc/ssh/sshd_config
and modify the draw of piece of job containing ChallengeResponseAuthentication no:
ChallengeResponseAuthentication no
(change it to)
ChallengeResponseAuthentication yes
To receive got these changes receive got effect, restart SSH server:
service ssh restart
(or)
service sshd restart
(or)
/etc/init.d/ssh restart
(or)
/etc/init.d/sshd restart
Why four commands? Depending on your Linux distribution, unopen to refers SSH Daemon every bit SSHD, unopen to every bit SSH, unopen to got service module installed, unopen to requires you lot to larn into /etc/init.d folder too restart SSH service manually.
Step 6: Configure your SmartPhone for Google Authenticator App
Like I said before, Google Authenticator tin live used inwards the next smartphones:
- Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
- iOS: https://itunes.apple.com/au/app/google-authenticator/id388497605?mt=8
- Blackberry: http://www.google.com/mobile/other
More detailed per device install instructions tin live flora on this page:
https://support.google.com/accounts/answer/1066447?hl=en
Assuming you lot managed to install the App properly, Launch your Google Authenticator app inwards your SmartPhone.
From Menu select Set upwards concern human relationship
Step 6.1: Google Authenticator Setup Account
Remember the surreptitious commutation you lot got when you lot initialized Google-Authenticator PAM module on your computer? I promise you lot withal got that window open. Select Enter provided key.
Next window you lot give it a refer (something you lot tin call upwards or relates to your workstation .. i.e. Home Workstation or My SuperAwesome LinuxBox … I’m going to run blackMORE Ops every bit the name.
Type inwards your Secret Key on the side past times side patch too click on Add button.
Once it’s added it volition generate a 1 fourth dimension verification code (pin number) that volition proceed changing every xxx seconds.
Step 7: Login to your figurer via SSH
Because I am doing all these inwards the same figurer I volition just login to localhost (IP: 127.0.0.1) If you lot got 2 or to a greater extent than machines or VirtualBox/VMWare machines too thence you lot tin seek to login from a dissimilar one. One matter to note, you lot MUST receive got SSH server running.
In illustration you lot don’t receive got SSH server running, just follow this guide to install openSSH server.
So nosotros type inwards the next command: (this is where you lot demand to unwrap out your SSH server’s IP address, I’ve shown using localhost or 127.0.0.1 IP but this tin live anything from an IP, FQDN or Domain name.)
root@kali: # ssh 127.0.0.1
and at 1 time you lot run across a prompt quest for Verification code. This is your Google Authenticator code that you lot larn from your Google Authenticator Mobile App.
Type inwards the numbers from your SmartPhones Google Authenticator App too and thence it volition prompt your for your password. Type inwards your password to login now.
If you lot failed to type inwards the Verification code inside xxx seconds, you lot receive got to seek the side past times side code shown on your SmartPhones Google Authenticator App. Awesome? Wouldn’t you lot agree?
Alternatives to Google Authenticator SmartPhone App:
In illustration you lot don’t ain a SmartPhone or don’t desire to run any, you lot tin run the next add-on on your FireFox or IceWeasel browser:
FireFox/IceWeasel App: GAuth Authenticator https://marketplace.firefox.com/app/gauth-authenticator/
Interesting Fact:
[Update]Got a response from the dev behind the Google Authenticator add-on for Chrome, Gerard Braad, who explained that Google receive got taken it downward but gave no explanation every bit to why fifty-fifty afterward beingness asked several times.
The Firefox version is withal available though too piece of job great. Hopefully he may hold off into the number amongst the Chrome version too re-submit.
Here is the FF version for those wishing to run it:
https://marketplace.firefox.com/app/gauth-authenticator/
Richard
How close that?
[ Source: https://productforums.google.com/forum/#!topic/chrome/P9rTLaeyHjg ]
Conclusion
Securing SSH amongst 2 constituent authentication using Google Authenticator is mayhap the best safety model you lot tin out at that spot for free. You tin ever limit SSH past times IP, alter port, rate-limit too practise all sorts of crazy stuffs. But those who wants to opened upwards SSH to the exterior globe too implement all these extra safety models (i.e. Brute-force detection etc.) receive got to constantly worry close the fact that who is trying is too what you’ve missed piece securing your system. Securing SSH amongst 2 constituent authentication using Google Authenticator mayhap relieves you lot from that worry too you lot halt getting emails inwards the kernel of the nighttime proverb someone tried to login via SSH X amount of times. But there’s ever other ways to ensure your connectedness remains secure. VPN is considered to live the best solution to encrypt data. Learn how to setup VPN here.
Let me know you lot thoughts too if you’ve flora this useful. Thanks for reading too beingness on my website. Please share. This would live best for System Administrators on whatever Linux systems.
