CentOS 5 enabling Two-factor SSH authentication via Google

Today I noticed a very nice article about enabling Google's two-factor authentication for Linux SSH.


After reading it... I found some time to play with it... so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server... but there are some small 'caveats'.


hg - Command


To checkout the code, you must make install the mercurial RPM... this one is available via the EPEL repositories.


So after having the EPEL repositories enabled, run as root:


yum -y install mercurial


Compiling the PAM module


When you checked out the code.


hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/


You cannot compile directly the module... therefor you must apply a small change to the Makefile.


Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)


$ make
$ sudo make install


Now you've to update the /etc/pam.d/sshd so it contains:


#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so


Configure SSH


You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:


ChallengeResponseAuthentication yes
UsePAM yes


And restart the SSH-daemon


Set up your smartphone/credentials on the system


$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
  67868696
  26247332
  54815527
  54336661
  71083816
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y


And you're done :-D


Give it a try to SSH to that box...


 TIP: Make sure you've an SSH session still open... or you might lock yourself out of the system...