James Mardell

Two-Factor Authentication on Debian


More and more of my life is hidden behind a password, however a single point of failure is not desirable. Therefore I’ve activated two-factor authentication for almost every service I use, including my own servers.

Using Google Authenticator on my iPhone, someone nasty now needs both a knowledge (e.g. a password) and a possession (e.g. my mobile phone) to access my accounts. For my home servers [plural…] I’ve started to use libpam-google-authenticator to boost my security. For normal use, public key authentication is adequate for securing my home media and backups. However, occasionally I want to access my machines from a different location, such as a friend’s computer. The simple solution would be to re-enable password authentication, but I prefer to keep my log-files small. Two-factor authentication is the solution.

Installing libpam-google-authenticator

I have two servers at home, one running Debian 6 (Squeeze) and another running Debian 7 (Wheezy), and these instructions work for both.

  1. Install libqrencode3: # apt-get install libqrencode3
  2. Download libpam-google-authenticator from the Debian Web-site, and install it using # dpkg -i $file.deb
  3. Modify your /etc/ssh/sshd_config so that ChallengeResponseAuthentication yes and PasswordAuthentication yes are both enabled
  4. At the end of /etc/pam.d/sshd put the line auth required pam_google_authenticator.so
  5. # service ssh restart

Using libpam-google-authenticator

Now you’ll have libpam-google-authenticator installed on your server, but by default you can login without using it. To enable it, login as a normal user and type google-authenticator, where you’ll see the following:

Google Authenticator on the console

Although don’t run Google Authenticator as root—it’s a silly idea to enable remote root logins…

Proceed through the questions—I went with yes, yes, no and then yes—then scan the code with your Google Authenticator App and make a note of your emergency scratch codes. If you ever need to see the codes again, you’ll find them in ~/.google-authenticator.

Now whenever you login using password authentication, libpam-google-authenticator will proceed to ask you for a verification code from your iPhone. To test this (assuming you have public key authentication enabled) try to login by disabling public key authentication (e.g. ssh keot@telaviv.local -o PubKeyAuthentication=false).

Google Authenticator on an iPhone

Thanks to highball.se and Francis Tang for their articles on this topic.