I have been happily using two-factor authentication with my Google account for months. I appreciate the added security and it hasn't been much hastle.
I decided it would be a good idea to implement something similar for access to my server. There are several options available, but I selected using pam_google_authenticator. It integrates with the Google Authenticator phone application and supports backup OTPs for when your phone is unavailable.
Since I am using Arch, the process begins with installing the
google-authenticator-libpam-hg package from AUR. Normally this would be
an easy task, but for some reason
hg clone fails during building. I
worked around the problem by running
https://code.google.com/p/google-authenticator command manually in my
home directory, and then creating a symlink to it for use in the build
script. I also installed
qrencode for generating QR codes.
Now that it is installed, you have to configure PAM to make use of the new
module. I created a new file
#%PAM-1.0 auth sufficient pam_access.so accessfile=/etc/security/access-local.conf auth sufficient pam_succeed_if.so user notin some:users:here auth required pam_google_authenticator.so
pam_google_authenticator module does the real work, but
there are only two cases that I want to require the OTP. I want to require the
OTP for all connections from the Internet, but not my LAN. Thus
pam_access, with the help of additional configuration, does just
that. When turned on, pam_google_authenticator requires all users to use OTP
with no provision for users who haven't setup their two-factor authentication
yet (it would simply prevent them from logging in). There are several patches I
could have applied to fix this problem, but I just went with the simple approach
of manually configuring the list of users I want to use two-factor
authentication with the
some:users:here is a colon-separated list of users that will be
using two-factor authn.
For pam_access, I created
+ : ALL : 10.0.0.0/24 + : ALL : LOCAL - : ALL : ALL
The first line is where you define your network's subnet. It should likely be
To allow PAM to query additional information via SSH, you need to make sure
ChallengeResponseAuthentication is not set to
/etc/ssh/sshd_config. The default is
yes, but in
Arch they set it to
no, so I just commented out that line in the
config and restarted SSH.
As my normal user, I ran
google-authenticator which generated a
TOTP secret in my home directory. (Assumably) since I had qrencode installed, it
also provided a very nice QR code (in the termal even!) that I scanned with my
phone to configure the Google Authenticator Android application.
All the preparation work is complete, I now need to enable the setup for ssh.
/etc/pam.d/sshd I added a line under
auth substack google-authenticator
After a bit of testing, I verified everything was running as I expected and
I now have two-factor authentication for accessing my server via SSH. To
enable two-factor for additional accounts I will have the account user run
google-authenticator and setup their phone, after which I will add
them to the list passed to pam_succeed_if.