CIP Cyber

Log In
Menu
Log In
  • Opinion
  • Product Reviews
  • Industrial Cybersecurity
  • Videos

OpenSSH Three factor Authentication using Google Authenticator and Public Key authentication

Table of Contents

I use Google Authenticator on all of my
Google account because it’s a nice, efficient way to do multi-factor authentication for the
great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra
secure and use not only TOTP, but password based and RSA key authentication as well. All of the
documentation I could find on doing so with OpenSSH was only on doing Google Authenticator’s
TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2
introduced the Authentication Methods argument. 
P { margin-bottom: 0.08in; }

Setting up Google Authenticator

P { margin-bottom: 0.08in; }For this I am going to be using Ubuntu
14.04 LTS, which makes setting up Google Authenticator really, really simple.



sudo apt-get install
libpam-google-authenticator

P { margin-bottom: 0.08in; }Insanely difficult, I know. In this
case, this only installs the PAM library on the server.

After that, we will instruct PAM to
load the plugin by adding the following line to



/etc/pam.d/sshd 
P { margin-bottom: 0.08in; }

auth required
pam_google_authenticator.so



Finally, we need to tell OpenSSH to use
the challenge response authentication, as well as force using multiple factors of
authentication.

In /etc/ssh/sshd_config, find the
ChallengeResponseAuthentication line to read as below:



ChallengeResponseAuthentication yes

P { margin-bottom: 0.08in; }We must also add the following lines:






UsePAM yes
AuthenticationMethods
keyboard-interactive:pam,publickey

P { margin-bottom: 0.08in; }This will tell OpenSSH to enable PAM
authentication, as well as requiring a private key from the person trying to authenticate to the
server.



Now, su to the user, and run the
google-authenticator command to create a Google Authenticator secret for that user.
Note that you can use the same secret across multiple users if you’d like, but that kind of kills the
purpose…

Now, restart the SSH service on the
server and test the login.

P { margin-bottom: 0.08in; }

sudo service ssh restart




A successful login should look like
below.

OpenSSH tutorial Three factor authentication

 

P { margin-bottom: 0.08in; }

Should an attacker somehow compromise
both your password and your Google Authenticator, they will still require your public
key, as shown below.

 

P { margin-bottom: 0.08in; }

So now, in order to authenticate to the
server via SSH, you will need your password, the password to the account, the private
key, and, if you’re feeling extra special, the passphrase to your private key. If you combine this
method of authentication with other ways of securing your SSH server, like port-knocking or
running fail2ban, you can certainly make SSH authentication much, much more secure than just
needing a password to the account.



Is this overkill? Probably. Is this
awesome? Certainly.

About the Author

P { margin-bottom: 0.08in; }

Jonathan is an IT Security Engineer at ReliaQuest in Tampa, Florida.

 

CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Opinion

Password Cyberattack: Everything You Need to Know

November 7, 2023

Industrial Cybersecurity

Cybersecurity Awareness Month: Spotlight on ICS/OT Security

September 28, 2023

Opinion

How to Protect IoT Devices in Critical Infrastructure Networks

September 15, 2023

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training

Related Articles

Do Hackers Really use Metasploit? NO!

Undoubtedly, Metasploit is one of the most organized, well-developed tools in the pen-testers toolbox. But, do hackers use it? Some of them, but not the

December 20, 2020

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training