Most of us are in habit of SSHing to our linux machine on regular basis.So we obviously want to secure it from someone misusing it . Google provides Google Authenticator’s time-based one-time password (TOTP) system which is open source to secure your SSH session.
Google Authenticator PAM can be installed in two ways
Method 1: Installing using official Ubuntu/Debian Repository (preferred for newbie)
Change Directory to google-authenticator/libpam/
To build Google Authenticator we first need to install prerequisite software
Then run following command to build libpam-google-authenticator.
Then add following line at end of file
Save the file by pressing Ctrl+O and Ctrl+X
Next,open /etc/sshd/sshd_config file by running following command
Then find the ChallengeResponseAuthentication and edit it as follow and save it
Installing Google Authenticator on Server:
To implement multi stage Google Authentication we will need Google Authenticator PAM module . PAM stands for "pluggable authentication module"which helps plug different form of authentication on linux system.Google Authenticator PAM can be installed in two ways
Method 1: Installing using official Ubuntu/Debian Repository (preferred for newbie)
- Type the below command in terminal
sudo apt-get install libpam-google-authenticator
- Clone the official Google Authenticator OpenSource repository
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
sudo apt-get install dh-autoreconf build-essential libpam0g-dev
./bootstrap.sh ./configure make sudo make install
- For making it functional on debian/ubuntu we need create softlink in /lib/ directory.
ln -s /usr/local/lib/security/ /lib/
Run Google Authenticator:
- Login as user you want to use two-step authentication with.Open Terminal and type google-autheticator command to create a secret key for that user and follow the instruction given below
- Google Authenticator will generate and display secret key and several emergency code , write down emergency code in case you lose your phone . Also emergency code is stored in home directory of user under
~/.google_authenticator
Setting up Google Authenticator on phone:
- Enter the secret key or scan QR code in Google Authenticator app on your phone (official application is available for Android, IOS and Blackberry)
- Windows Phone user can use Authenticator App from Windows Store , and scan QR code generated in application or enter secret key manually.
Setting up Google Authenticator on Linux:
- You need to enable google authenticator for ssh by editing /etc/pam.d/sshd file on your system by running following command
sudo nano /etc/pam.d/sshd
auth required pam_google_authenticator.so nullok
sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication yes