Linux two step authentication with PAM and Google Authenticator


Recommended Posts

We can already use two step authentication in GMail with the Google Authenticator Android app. The idea is creating a secret key shared between the service and the Android app, so every 30 seconds we get a randomly generated token on Android that must be provided to login in addition to the password. That token is only valid in that 30s time frame.

brm_4Z4HD6ei29Fnai7OhIUP9DwpBTHW1C7hb05LukZU-lbP8ALtvvq_dQ5lIc-_YAlS

Since this provides a nice second security layer to our logins, why don't take advantage of it also in our Linux box?

We'll need two things to get started:

  • Install Google Authenticator on our Android, iOS or Blackberry phone (AFAIK it's not availabe for WP7, at least not yet).
  • Install the PAM on our Linux box

The first step is trivial, so we'll go for the second one.

If you are using Ubuntu you can install it straight from the repos:

sudo apt-get install libpam-google-authenticator[/CODE]

For other distros it might be also available on the repos, but if it isn't you can also get the PAM from the Google Code site.

Once we have that installed we will run this command with the user we want to use two step authentication with. If we want to use it for several users we will have to run it once with each of them, since it generates a unique secret key each time.

[CODE]google-authenticator[/CODE]

First thing we will see is a big QR code. Open your Google Authenticator app on the phone, hit the menu button and select "Scan barcode". Point the camera to the QR code on the screen and you'll get a new item on the Google Authenticator main screen with an ID for the user and computer and the generated token below, along with a counter showing how much time is left for the code to expire.

Right below the QR code we'll see something like this:

[CODE]Your new secret key is: [secret_key]
Your verification code is [verification_code]
Your emergency scratch codes are:
[code1]
[code2]
[code3]
[code4][/CODE]

Copy all this somewhere. The four "emergency scratch codes" will come handy if for whatever reason we lose or break our phone. They are one time codes that can be used instead of the tokens generated by Google Authenticator.

Next you'll be asked a few questions to configure some authentication details:

[CODE]Do you want me to update your "~/.google_authenticator" file (y/n)[/CODE]

Answer "y" here to get it configured.

[CODE]Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)[/CODE]

If you'll need to login more than once every 30 seconds answer "n", else it's OK to answer "y".

[CODE]By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)[/CODE]

Unless your phone and PC clocks are severely desynchronized, it should be OK to answer "n" here.

[CODE]If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)[/CODE]

It's a good idea to answer "y" here to prevent brute force attacks.

Up to this point we've just configured the tools we'll need to implement the two step authentication, without actually modifying anything in our login settings yet.

The next steps in this howto will add the PAM to your login. Bear in mind that if you do anything wrong you might find yourself locked out of your box, and if your home folder is encrypted you'll be unable to access your data.

Even if that happens you can still fix it booting from a livecd and removing the PAM from the login, but just be aware of the potential problems.

We can add the PAM to several different login methods, we'll just see the two most interesting options:

[b]1.- The most interesting one: SSH logi[/b][b]n[/b]

Edit [i]/etc/pam.d/sshd [/i]and add this line at the bottom:

[CODE]auth required pam_google_authenticator.so[/CODE]

Edit [i]/etc/ssh/sshd_config [/i]and either modify (if it already exists) or add this line:

[CODE]ChallengeResponseAuthentication yes[/CODE]

Restart the sshd service (this works for Ubuntu, other distros might have a different way of handling services):

[CODE]sudo service ssh restart[/CODE]

Next time you ssh to the box you'll be prompted for both your password and your validation key.

This will only work if you aren't using certificates, else you'll be automatically logged in as usual.

[b]2.- A less interesting option: your local login[/b]

Depending on your distro you might be using a different login manager. Pick and edit the correct file among these (you'll likely only have one of them):

  • /etc/pam.d/gdm
  • /etc/pam.d/lightdm
  • /etc/pam.d/kdm

Add this line at the bottom:

[CODE]auth required pam_google_authenticator.so[/CODE]

That's it. Next time you login you'll be prompted for both your password first and then your verification key:

IMG_20120228_024150_s.jpg

Now, as a side note, why is this local login a "less interesting option"?

The two step authentication will keep users out of you box as long as they don't also have access to your phone, but you shouldn't forget that there's no way to really secure a box if the attacker has physical access to it.

The secret key is stored in your home folder. The attacker could boot your box from a livecd, get the key and generate his own tokens.

Then again same thing holds true for you user password so that's not to say that two step authentication is not secure, it's just that is has the same problems as any other login method when it comes with physically accessible machines.

Link to comment
Share on other sites

This topic is now closed to further replies.