Setting up login to the Ubuntu server via Google Authenticator App
Introduction
OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds.
Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226.
Authenticator provides a six- to the eight-digit one-time password which users must provide in addition to their username and password to log into Google services or other sites. The Authenticator can also generate codes for third-party applications, such as password managers or file hosting services. Previous versions of the software were open-sourced but subsequent releases are proprietary.
Contents
This tutorial includes these parts:
- Installing Google’s PAM
- Configuring OpenSSH
- Making SSH Aware of MFA
- Adding a Third Factor (Optional)
1. Installing Google’s PAM
In this step, we’ll install and configure Google’s PAM.
PAM, which stands for Pluggable Authentication Module, is an authentication infrastructure used on Linux systems to authenticate a user. Because Google made an OATH-TOTP app, they also made a PAM that generates TOTPs and is fully compatible with any OATH-TOTP app, like Google Authenticator or Authy.
First, update Ubuntu’s repository cache.
sudo apt-get updateNext, install the PAM.
sudo apt-get install libpam-google-authenticatorThen download the app (i.e., Google Autheticator) on your mobile device (ios or android) and run the following command.
google-authenticatorYou should see a QR-code while completing the initialization process. In your app add the code tapping on the cross sign, scanning the code. Now you must see a new record in the app with a token which circles every 30 seconds.
2. Configuring OpenSSH
To enable authorization with TOTP (Time-Based One-Time Password) sshd service must be configured accordingly. Edit the configuration file with the following command.
sudo vim /etc/pam.d/sshdAdd the following line to the bottom of the file.
. . .
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullokThe nullok word at the end of the last line tells the PAM that this authentication method is optional. This allows users without an OATH-TOTP token to still log in using their SSH key. Once all users have an OATH-TOTP token, you can remove nullok from this line to make MFA mandatory.
Save and close the file.
Next, we’ll configure SSH to support this kind of authentication. Open the SSH configuration file for editing.
sudo vim /etc/ssh/sshd_configLook for ChallengeResponseAuthentication and set its value to yes.
. . .
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
. . .Restart sshd service
sudo systemctl restart sshd.service3. Making SSH Aware of MFA
Reopen the sshd configuration file.
sudo vim /etc/ssh/sshd_configAdd the following line at the bottom of the file. This tells SSH which authentication methods are required. This line tells SSH we need an SSH key and either a password or a verification code (or all three).
. . .
UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactiveSave and close the file, then restart SSH.
sudo systemctl restart sshd.service4. Adding a Third Factor (Optional)
In Step 3, we listed the approved types of authentication in the sshd_config file:
- publickey (SSH key)
- password publickey (password)
- keyboard-interactive (verification code)
Although we listed three different factors, with the options we’ve chosen so far, they only allow for an SSH key and the verification code. If you’d like to have all three factors (SSH key, password, and verification code), one quick change will enable all three.
Open the PAM sshd configuration file.
sudo vim /etc/pam.d/sshdLocate the line you commented out previously, #@include common-auth, and uncomment the line by removing the # character. Save and close the file. Now once again, restart SSH.
sudo systemctl restart sshd.serviceBy enabling the option @include common-auth, PAM will now prompt for a password in addition the checking for an SSH key and asking for a verification code, which we had working on previously. Now we can use something we know (password) and two different types of things we have (SSH key and verification code) over two different channels.
