How to set up Two Factor Authentication with Google Authenticator
Google's 'Google Authenticator' is an excellent way to set up Two-Factor Authentication on an x10VPS, or indeed any system.
Enabling this extra security requires:
- a smartphone (Android, iPhone, or BlackBerry)
- the Google Authenticator app
N.B.: For the purposes of this tutorial we will be using Ubuntu, because that is the OS in use by the Author. 'Translations' to other package managers and any extra steps required may be added in due course by others.
N.B.: If you are not running as root you may need to prefix these commands with sudo.
First you will need to install three pieces of software:
- apt-get update
- apt-get install gcc git libpam0g-dev
Now, clone the repository and compile:
- cd ~
- git clone https://code.google.com/p/google-authenticator/
- cd google-authenticator/libpam
- make install
You should see some text scrolling by ending similar to this:
- cp pam_google_authenticator.so /lib/x86_64-linux-gnu/security
- cp google-authenticator /usr/local/bin
System Configuration for Google Authenticator
First, edit the file /etc/ssh/sshd_config and change the ChallengeResponseAuthentication from no to yes
- # Change to yes to enable challenge-response passwords (beware issues with
- # some PAM modules and threads)
- ChallengeResponseAuthentication yes
Now, edit the /etc/pam.d/common-auth file to include the Google Authenticator module in the PAM configuration. Insert a new line between the comment and the first auth line:
- # here are the per-package modules (the "Primary" block)
- auth required pam_google_authenticator.so
- auth [success=1 default=ignore] pam_unix.so nullok_secure
- # here's the fallback if no module succeeds
User Configuration for Google Authenticator
NOTE: Make sure you are logged in as you - this will need to be done for each user and is not a system wide change.
Run the command google-authenticator and follow the text extract below:
- Do you want authentication tokens to be time-based (y/n) y
- Your new secret key is: [...]
- Your verification code is [...]
- Your emergency scratch codes are:
- Do you want me to update your "/[username]/.google_authenticator" file (y/n) y
- Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks
- (y/n) y
- By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so
- (y/n) y
- If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
- Do you want to enable rate-limiting (y/n) y
You must now open the link shown above the line with your secret key - this will show a QR code you can scan with the Google Authenticator app. If this does not work and / or you are unable to scan QR codes, you can set it up manually, account name is whatever will help you remember, and the code is the secret key. Make sure you specify that the key should be time based in the app.
Now, restart the SSH service. DO NOT CLOSE YOUR CURRENT SSH CONNECTION / WINDOW
- service ssh restart
When this completes (usually instantly), try to open a new SSH connection. You will be asked for your username, then the key from the Authenticator app, and finally your password.
IF THIS DOES NOT WORK PLEASE REVERT THE CHANGES ABOVE USING THE PREVIOUS SSH CONNECTION, REMEMBERING TO RESTART THE SSH SERVICE AGAIN, AND SEEK FURTHER ASSISTANCE.
Please note that x10Hosting cannot he held liable for any downtime, and that the SLA does not apply to any services used in connection with 2-step verification if the verification process fails. THIS INSTALLATION IS CARRIED OUT AT YOUR OWN RISK. Please also note that, subject to proving your identity satisfactorily to the administration team, should there be an irrecoverable error caused, the administration team should be able to disable the Google Authenticator service on your behalf. And on a friendlier note, the Author wrote these instructions whilst carrying them out, with no issues except for not initially restarting the SSH service.