Two way authentication for SSH

On each linux server that you install there will be SSH to login as root and install/edit software. Even if you secure this, by disallowing the root user to login, there is a chance somebody might figure this out and use brute-force to hack in to your system. In may situations i have added firewall rules with my own IP’s in it but this is hardly userfriendly. Specially since i am on the road, a lot.

While looking for better, more safe, ways to handle this i found Google Authenticator the best solution for it. Very easy to install and it comes with an iPhone app! The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification token developed by Google. It supports several mobile platforms, as well as PAM (Pluggable Authentication Module). These one-time passcodes are generated using open standards created by the OATH (Initiative for Open Authentication).

Here are the steps to install Google Authenticator on a Debian box.

First install the required packages:
[code]apt-get install libpam0g-dev make gcc wget[/code]

Now download the Google Authenticator package to the server and unpack it:
[code]cd /usr/src
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2[/code]

Installing this package is as easy as running the following commands:
[code]cd libpam-google-authenticator-1.0
make install

The last command starts a wizard, asking you several questions. Make sure that you keep the emergency scratch codes somewere safe!

[code][root@HST-WWW01 #] libpam-google-authenticator-1.0]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y×200&chld=M|0&cht=qr&chl=otpauth://totp/root@HST-WWW01%3Fsecret%3DEVQP6F5PFNQRNWUO

Your new secret key is: XEKITDTYCBAXXX
Your verification code is 461618
Your emergency scratch codes are:

Next, follow the setup wizard and in most cases type answer as “y” (yes) as shown below.

[code]Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y[/code]

Now, configure the SSH daemon

Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the top of the file.
[code]auth required[/code]

Open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll for fine the line that says.
[code]ChallengeResponseAuthentication no[/code]
Change this option to “yes”.

Before restarting the SSH daemon, search in the Appstore for the application called Google Authenticator. If you dont have the application, you cannot login anymore 🙂

In the Application click the ‘add’ button on the right top. It will ask you for the ‘user@host-ip’ and the verification code that was generated above. Type these in the application and hit ‘Save’. You will instantly see it generate a new code.

Finally, restart the SSH daemon
[code]# /etc/init.d/sshd restart[/code]

Now try to login again and you will see the difference:
[code]root@h1983567:~# ssh -l root
Verification code:
Linux HST-WWW01 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64[/code]

The verification code that is generated on the iPhone changes every 30 seconds. So if you miss it, wait for the new one.


Geef een reactie

%d bloggers liken dit: