Google Authenticator
I have been happily using two-factor authentication with my Google account for months. I appreciate the added security and it hasn't been much hastle.
I decided it would be a good idea to implement something similar for access to my server. There are several options available, but I selected using pam_google_authenticator. It integrates with the Google Authenticator phone application and supports backup OTPs for when your phone is unavailable.
Since I am using Arch, the process begins with installing the
google-authenticator-libpam-hg package from AUR. Normally this would be
an easy task, but for some reason hg clone fails during building. I
worked around the problem by running hg clone
https://code.google.com/p/google-authenticator command manually in my
home directory, and then creating a symlink to it for use in the build
script. I also installed qrencode for generating QR codes.
Now that it is installed, you have to configure PAM to make use of the new
module. I created a new file /etc/pam.d/google-authenticator with
the contents:
#%PAM-1.0 auth sufficient pam_access.so accessfile=/etc/security/access-local.conf auth sufficient pam_succeed_if.so user notin some:users:here auth required pam_google_authenticator.so
The pam_google_authenticator module does the real work, but
there are only two cases that I want to require the OTP. I want to require the
OTP for all connections from the Internet, but not my LAN. Thus
pam_access, with the help of additional configuration, does just
that. When turned on, pam_google_authenticator requires all users to use OTP
with no provision for users who haven't setup their two-factor authentication
yet (it would simply prevent them from logging in). There are several patches I
could have applied to fix this problem, but I just went with the simple approach
of manually configuring the list of users I want to use two-factor
authentication with the pam_succeed_if module.
some:users:here is a colon-separated list of users that will be
using two-factor authn.
For pam_access, I created /etc/security/access-local.conf:
+ : ALL : 10.0.0.0/24 + : ALL : LOCAL - : ALL : ALL
The first line is where you define your network's subnet. It should likely be
something like 192.168.1.0/24.
To allow PAM to query additional information via SSH, you need to make sure
that ChallengeResponseAuthentication is not set to no
in /etc/ssh/sshd_config. The default is yes, but in
Arch they set it to no, so I just commented out that line in the
config and restarted SSH.
As my normal user, I ran google-authenticator which generated a
TOTP secret in my home directory. (Assumably) since I had qrencode installed, it
also provided a very nice QR code (in the termal even!) that I scanned with my
phone to configure the Google Authenticator Android application.
All the preparation work is complete, I now need to enable the setup for ssh.
In /etc/pam.d/sshd I added a line under auth required
pam_unix.so ...:
auth substack google-authenticator
After a bit of testing, I verified everything was running as I expected and
I now have two-factor authentication for accessing my server via SSH. To
enable two-factor for additional accounts I will have the account user run
google-authenticator and setup their phone, after which I will add
them to the list passed to pam_succeed_if.