SSH: Two Factor Authentication

authenticationpublic-keysshtwo-factor

I currently have a Ubuntu Server 12.04 running OpenSSH along with Samba and a few other services. At the current time I have public key authentication set up, and I'm wondering if it's possible to set up two factor authentication? I've been looking at Google Authenticator which I currently use with my Gmail account.

I've found a PAM module that looks like it will be compatible however it seems that you are forced to use a password and the code generated.

I'm wondering if there is a way to use the Google Authenticator Application (or something similar) along with my public key to authenticate into my SSH server?

Best Answer

Red Hat have added a patch to OpenSSH in RHEL (and therefore CentOS) 6.3 to require multiple authentication mechanisms, so you can do something like this:

RequiredAuthentications2 publickey,keyboard-interactive

See the release notes for not much more detail.

Unfortunately this feature doesn't seem to be in OpenSSH upstream nor Ubuntu 12.04, so unless you want to find the patch and recompile OpenSSH I'm afraid you're out of luck.

Related Solutions

Ssh – 2 factor authentication for Dovecot/Postfix / SSH / PAM

Really, you want to choose the proper authentication protocol that is supported by PAM, the services you want to protect and the broadest number of two-factor authentication servers.

Radius is the answer.

All major two-factor authentication systems support radius. Radius is supported in PAM through the pam-radius plugin. Radius will also allow you to proxy the requests through freeradius (or NPS on AD) which can then perform authorization against your directory. (Meaning that you have one location to disable users.)

We have a number of tutorials that should help: a couple on pam-radius: https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to & https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu

And this one on adding two-factor auth to webmail that covers sasl etc. https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-webmail-for-wikid-strong-authentication

The email clients will be prompted for an OTP each time they launch or for each session.

Pam-tacacs and pam-ldap would be other options, but more difficult and less flexible, IMO.

Ssh – Two Factor SSH Authentication on external address only

Yes, you can do this with pam_access.so. This recipe was taken from the wiki for the Google Authenticator:

A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:
# skip one-time password if logging in from the local network
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth       required     pam_google_authenticator.so
In this case, access-local.conf looks like:
# only allow from local IP range
+ : ALL : 10.0.0.0/24
+ : ALL : LOCAL
- : ALL : ALL
Thus login attempts from 10.0.0.0/24 will not require two-factor authentication.

Best Answer

Related Solutions

Ssh – 2 factor authentication for Dovecot/Postfix / SSH / PAM

Ssh – Two Factor SSH Authentication on external address only

Related Topic