Google Authenticator as a second factor authentication

Description

In this post I would like to share another a solution (in my previous post I was talking about DUO - https://duo.com) that can be used as a second factor authentication.

In this moment on the market there are a few solutions that are doing the same thing, but Goggle Authenticator is pretty easy to install and manage and the best part in my opinion related to this product is the fact that it doesn't need any server to be synchronized with.

Explanation

- I'll show you how to install Google Authenticator and use it in a Linux like system.

- In this post I'll show you how Google Authenticator can be integrated with openssh, but the library can be used in conjunction with Ldap too for example. This part will be covered in another post.

- I'm using Google Authenticator (the application installed on my phone) for authenticating into all my accounts (gmail, outlook, amazon, wordpress) and it didn't failed.

- I'm using Google Authenticator library and Google Authenticator application for ssh authentication into some important systems that are exposed to the Internet and works great. It can be used in conjunction with fail2ban that I described it in my privious post (https://dscsti.ro/fail2ban/) for avoiding a brute force attack against you server.

Implementation

On you Linux machine (in my case Ubuntu)

Install the library

apt-get install libpam-google-authenticator

From the home directory of your user run

google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/user/.google_authenticator" file (y/n)
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

As you can see you have to answer to a few questions . The default values are covering most of the scenarios so answering yes is a good approach in this case.

On you phone

Install the app on your mobile phone - Google Authenticator and also a qr code reader application.

After the application is installed you have to add and account. The easiest way is to scan the qr code that was generated by your Linux machine when google-authenticator command was run. If your system does not have the library necessary to render the qr code into the console then you have to add the generated code (seed) manually into the phone.

On Linux machine

Install the pam library for ssh (if is not installed yet):

apt-get install libpam-ssh

Ask pam_ssh to use google authenticator by editing /etc/pam.d/sshd and adding following line to the bottom of the file:

auth required pam_google_authenticator.so

Note:If you don't want to enforce google authenticator for all accounts you can add nullok directive.

When a system account has not .google_authenticator file in the user account then pass code is not required.

I do not recommend this setting, but you have to keep in mind that the option is there and /etc/pam.d/sshd file should be modified as follows in this case:

auth required pam_google_authenticator.so nullok

Prepare openssh server for google authententicator by modifying /etc/ssh/sshd_config file:

UsePAM yes
ChallengeResponseAuthentication yes

Restart ssh server.

How to test

ssh [email protected]
Password: 
Verification code:

As you can see a verification code is required after password. That code is generated by your phone application.

Ability for whitelisting IPS
Another option that I like about Google Authenticator is the ability to use whitelisting of IPs. If you are ssh-ing from an IP placed on whitelist then the verification code is not required.

It is useful to take advantage of such functionality because you want to have second factor authentication for everybody that is ssh-ing from outside your network but not from inside.

Modify /etc/pam.d/sshd as follows:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so

Then on /etc/security/access-local.conf:

# localhost and internal network doesn't need two step verification
+ : ALL : 10.2.1.0/24
+ : ALL : 127.0.0.1
#All other hosts need two step verification
- : ALL : ALL

S	M	T	W	T	F	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Knowledge for the right people

Categories

Google Authenticator as a second factor authentication