If you’re looking to add an extra layer of iron clad security to your Linux server, there are few better options than two-factor authentication. In this guide, we’ll show you how to install Google PAM for SSH authentication.

     

    Step #1 – Configure Google PAM

     

    First, lets update Ubuntu’s aptitude cache:

     

    sudo apt-get update

     

    Next we’ll get and install Google LibPAM:

     

    sudo apt-get install libpam-google-authenticator -y

     

    Well that was easy, wasn’t it?

     

    Initial Configuration for Google PAM

     

    Now that we’ve got PAM installed, let’s start the application:

     

    google-authenticator

     

    At this point, you’ll be presented with a number of initial configuration options. Let’s walk through these. First you’ll be asked if you want to use the time-based option for authentication tokens. Selecting no here would configure the module to use sequential tokens, which isn’t terribly compatible and might equate to a less than ideal first experience, so let’s choose Y here to avoid that:

     

    Do you want authentication tokens to be time-based (y/n) y

     

    In order to install Google PAM, you’ll need to answer yes on this one so that the authentication token is written and the program won’t terminate, so answer Y:

     

    Do you want me to update your "~/.google_authenticator" file (y/n) y

     

    Unless you’re a fan of replay attacks, you’ll probably want to disable multiple uses of the same auth token in this next step, so select Y here:

     

    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n) y

     

    On this one you won’t want to answer yes unless you’d like to give hackers a broader window for gaining access. So you’ll probably want to answer no, which configures the application to allow only 3 login attempts ever 30 seconds. Answer N:

     

    By default, tokens are good for 30 seconds and in order to compensate for
    possible time-skew between the client and the server, we allow an extra
    token before and after the current time. If you experience problems with poor
    time synchronization, you can increase the window from its default
    size of 1:30min to about 4min. Do you want to do so (y/n) n

     

    By confirming rate-limiting, you’ll limit attackers to a certain number of attempts before they’re blocked, which is a good thing and (assuming you haven’t previously setup a rate-limiting policy for SSH) this will definitely bolster your security level. Answer Y:

     

    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting (y/n) y

     

    Great! Now you’ve got Google PAM installed so it’s on to the configuration!

     

    Configuring PAM with SSH

     

    Let’s crack open the PAM configuration file using Nano:

     

    sudo nano /etc/pam.d/sshd

     

    Right below the line @include common-password, add the following to require PAM and allow null:

     

    auth required pam_google_authenticator.so nullok

     

    Close out the file and save it.

     

    Now let’s make an edit to the SSHD configuration:

     

    sudo nano /etc/ssh/sshd_config

     

    Locate the line that reads ChallengeResponseAuthentication and ensure it’s set to yes:

     

    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication yes

     

    Close and save your edit and restart the SSHD service:

     

    service sshd restart

     

    Now we’ll re-edit the SSHD configuration:

     

    sudo nano /etc/ssh/sshd_config

     

    Look for he line that reads UsePAM yes and add he following line below it to set the authentication mehod to SSH key, then either a password or verification code:

     

    UsePAM yes
    AuthenticationMethods publickey,password publickey,keyboard-interactive

     

    Now we’ll re-edit the PAM configuration file as well:

     

    sudo nano /etc/pam.d/sshd

     

    Locate the line # Standard Un*x authentication. and right below it, uncomment the line #@include common-auth by removing the # so that it looks like this:

     

    # Standard Un*x authentication.
    @include common-auth

     

    Close out of the file and save it and restart SSH again:

     

    Now for he fun part! Open a new SSH session. If all went well, you should now be prompted for a verification code after you SSH key is accepted.

     

    Assuming all went well with your test – that’s it, you’re done!

    Tags:

    • Show Comments (0)

    Your email address will not be published. Required fields are marked *

    comment *

    • name *

    • email *

    • website *

    Ads

    You May Also Like

    How to Resolve Multiple Domains to a Single WordPress Instance with EasyEngine

    I’ve been working more with WordPress lately, rather than my usual Drupal development, and ...

    How to Harden NginX Security

    While there are many ways to harden the security on your NginX server with ...

    The Quick Easy Way to Grant Full Access to an O365 Mailbox

    This quick, easy to follow guide will help you to grant full-access permissions to ...