2 factor SSH authentication

Google has released a nice API quite a while back called the Google Authenticator. I am sure some of you use it already for your gmail account (if you don’t, you should). You install it from the Android Market (or Apple Market for the Apple lovers out there) then setup your account.

I recently read about the fact that you can also use it for SSH. As I have a few VMs out there on the internet, I thought I’d give it a whirl. So this quick tutorial is based on Debian.

Make sure you install the right packages to start with: apt-get install mercurial libpam0g-dev then clone the repo : hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator. Once done, you just need to compile and install the module and binary: cd google-authenticator/libpam/ && make && make install.

You can now setup your user for Google Authenticator, to do so, make sure you are logged in as your user then issue the following command: google-authenticator. It will offer to create all passwords, scratch cards and give you an https link to scan on your phone.

All that remains now is to enable the pam module, edit /etc/pam.d/sshd and add the following (before the include common-auth)

auth required pam_google_authenticator.so

Then edit /etc/ssh/sshd_config and make sure that you set this two variables to yes: ChallengeResponseAuthentication and UsePAM then restart the SSH daemon.

It is now ready, your server will now greet you with:

frlinux@qosmio:~$ ssh server
Verification code: