Today I noticed a very nice article about enabling Google's two-factor authentication for Linux SSH.
After reading it... I found some time to play with it... so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server... but there are some small 'caveats'.
hg - Command
To checkout the code, you must make install the mercurial RPM... this one is available via the EPEL repositories.
So after having the EPEL repositories enabled, run as root:
yum -y install mercurial
Compiling the PAM module
When you checked out the code.
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
You cannot compile directly the module... therefor you must apply a small change to the Makefile.
Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)
$ make
$ sudo make install
Now you've to update the /etc/pam.d/sshd so it contains:
#%PAM-1.0
auth required pam_google_authenticator.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Configure SSH
You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:
ChallengeResponseAuthentication yes
UsePAM yes
And restart the SSH-daemon
Set up your smartphone/credentials on the system
$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
71083816
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
And you're done
Give it a try to SSH to that box...
TIP: Make sure you've an SSH session still open... or you might lock yourself out of the system...