Two-Factor Authentication on Debian
2013-05-25More and more of my life is hidden behind a password, however a single point of failure is not desirable. Therefore I’ve activated two-factor authentication for almost every service I use, including my own servers.
Using Google Authenticator on my iPhone, someone nasty now needs both a knowledge (e.g. a password) and a possession (e.g. my mobile phone) to access my accounts. For my home servers [plural…] I’ve started to use libpam-google-authenticator
to boost my security. For normal use, public key authentication is adequate for securing my home media and backups. However, occasionally I want to access my machines from a different location, such as a friend’s computer. The simple solution would be to re-enable password authentication, but I prefer to keep my log-files small. Two-factor authentication is the solution.
Installing libpam-google-authenticator
I have two servers at home, one running Debian 6 (Squeeze) and another running Debian 7 (Wheezy), and these instructions work for both.
- Install
libqrencode3
:# apt-get install libqrencode3
- Download
libpam-google-authenticator
from the Debian Web-site, and install it using# dpkg -i $file.deb
- Modify your
/etc/ssh/sshd_config
so thatChallengeResponseAuthentication yes
andPasswordAuthentication yes
are both enabled - At the end of
/etc/pam.d/sshd
put the lineauth required pam_google_authenticator.so
# service ssh restart
Using libpam-google-authenticator
Now you’ll have libpam-google-authenticator
installed on your server, but by default you can login without using it. To enable it, login as a normal user and type google-authenticator
, where you’ll see the following:
Although don’t run Google Authenticator as root
—it’s a silly idea to enable remote root logins…
Proceed through the questions—I went with yes, yes, no and then yes—then scan the code with your Google Authenticator App and make a note of your emergency scratch codes. If you ever need to see the codes again, you’ll find them in ~/.google-authenticator
.
Now whenever you login using password authentication, libpam-google-authenticator
will proceed to ask you for a verification code from your iPhone. To test this (assuming you have public key authentication enabled) try to login by disabling public key authentication (e.g. ssh keot@telaviv.local -o PubKeyAuthentication=false
).
Thanks to highball.se and Francis Tang for their articles on this topic.