Question

49

How can I use a passcode generator for authentication for remote logins?

rated 0 times [ 49] [ 0] / answers: 1 / hits: 6189 / 2 Years ago, thu, february 10, 2022, 11:02:07

I would like to strengthen the authentication of my SSH logins by adding another factor: a passcode generator device, or a passcode generation application on my mobile phone. The only obvious options in the default setup are a fixed password and key pair. How can I do this?

(If I use a password plus a passcode generator, this provides two-factor authentication (2FA): the password is “what I know”, and the passcode is “what I have”.)

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ilityushing

Add To Favorites

Follow

Total Points: 18

Total Questions: 100

Total Answers: 113

Location: Senegal

Member since Wed, May 13, 2020

4 Years ago

answered 2 Years ago ndaavi · Accepted Answer

One way to do this is with a tool provided by Google called Google Authenticator.

Install libpam-google-authenticator
- or just sudo apt-get install libpam-google-authenticator

Edit /etc/pam.d/sshd to include the module:
- sudoedit /etc/pam.d/sshd
- and then include this line at the top of the file and save:
```
auth required pam_google_authenticator.so
```

Edit your SSH config file to turn on the challenge:
- sudoedit /etc/ssh/sshd_config and then change the response authentication from:
```
ChallengeResponseAuthentication no 
```
  to
```
ChallengeResponseAuthentication yes
```
  and then save the file.

sudo restart ssh to restart SSH

Run google-authenticator
- This will give you your secret key, verification code, and emergency scratch codes. It will also ask you some rate limiting questions.

Mobile Applications:

You'll need one of these to receive the authentication code on another device.

Android App

iPhone App

Related and Useful:

Most of this answer is derived from this blogpost by Jean-Francois Theroux but updated.

Google Authenticator Wiki

http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html

http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

It is my understanding that if you're using passwordless logins via SSH keys that you can only do one or the other, see this question: How can I set up password-less SSH login?

And if you're using Puppet, there's a puppet module here: https://github.com/camptocamp/puppet-googleauthenticator

See Maarten's answer and link to github issue on why you need to add the .so line at the top of your pam config: https://askubuntu.com/a/668398

Note that combining a password with single-use passcodes is two-factor authentication: it combines “what you know” (a password) with “what you have” (the passcode generator device). On the other hand, if you combine single-use passcodes with an SSH key pair, it's all about “what you have”. When two authentication factors are of the same type, you do not have two-factor authentication; this is sometimes called “one-and-a-half-factor authentication”.