Secure SSH with Two-Factor Authentication (using Google Authenticator) on squeeze

Two-Factor authentication adds an extra layer of security to the authentication process to prevent unauthorized users to access your services or data. Normally you only type username and password (something you know) but with Two-Factor authentications, additionally you need to provide something you have (mobile phone running Android, iOS or Blackberry with one time codes when using Google Authenticator).

1. Download and install the Google Authenticator app for you phone. Here you can find instructions: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447

2. Install required package (used to create QR code)

apt-get install libqrencode3


3. Download the Google Authenticator libpam package from the wheezy repository.

wget http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20110413.68230188bdc7-1.1_amd64.deb


4. Install Google Authenticator

dpkg -i libpam-google-authenticator_20110413.68230188bdc7-1.1_amd64.deb


5. Configure Google Authenticator. This has to be done for each account that should be able to login with Two-Factor Authentication.

google-authenticator


6. Scan the QR code with your phone in the Google Authenticator app and answer yes to all questions unless you want some specific options.

7. Configure pam to use the google authenticator lib. Add this line somewhere in the file (pico /etc/pam.d/ssh)

auth required pam_google_authenticator.so


8. Locate a line in the file starting with ChallengeResponseAuthentication and change the value to yes (pico /etc/ssh/sshd_config)

ChallengeResponseAuthentication yes


9. Restart SSH

/etc/init.d/ssh restart


Next time you login to SSH you will be prompted for a Verification code in addition to the standard login and password. This is where you use the code shown on your mobile device.