Mostly taken and condensed from: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
- Install the package: sudo apt-get install libpam-google-authenticator
- Edit /etc/pam.d/sshd to have the line: auth required pam_google_authenticator.so
- Edit /etc/ssh/sshd_config to have the line: ChallengeResponseAuthentication yes
- Make sure you're no longer sudo'd or running as root and that your're whatever user you want to log in as and run google-authenticator from your home directory. Be sure to take down the secret, scratch codes, and/or the QR code.
- sudo service ssh restart
Now you should be good to go.
In Ubuntu 13.10 for step 2, there will not be that line already in the file.
For step 3, ChallengeResponseAuthentication will be set to 'no'. Just change it to 'yes'.
No promises for other linux distros, but the above should work. If it doesn't you'll have to grab source and compile from the google-authenticator project on google-code.
Note: if you don't even want to have to enter the password (seriously stupid, but could be fun for a CTF or for learning purposes) comment out the following line in your /etc/pam.d/sshd file: @include common-auth
This was the first line of code in my sshd file and the helpful comments explain that it controls "Standard Un*x authentication". Fun stuff. For the love of all that is bacon and blue skies, don't do this in prod unless you're using a different auth mechanism in addition to 2FA.
Next up, google-auth for open-vpn.
I followed these steps very clearly remembering that this would allow me to initialize my token after first login, even via ssh. I'm now locked out. Let me update this post once I fix that with more granular instructions.
ReplyDeleteThis comment has been removed by the author.
DeleteI forgot step 4 in the above comment. I reset the VM again and did it right this time.
Delete