Authenticate SSH with “Google Authenticator” OTP

By Kernel 7 On August 9th, 2013

This guide assumes you already have the following:
+ Linux RPM-based system
+ NTP Synchronization
+ Internet Access for “Google Authenticator” API

[1] Install pre-requisites for “Google Authenticator“:
yum install gcc pam-devel subversion python-devel git

[2] Install Google Authenticator PAM module:
mkdir /tmp/google-authenticator
cd /tmp/google-authenticator/
git clone http://code.google.com/p/google-authenticator/
cd google-authenticator/libpam/
make && make install

[3] Setup SSH’s PAM to use Google Authenticator:
vi /etc/pam.d/sshd

  • At the beginning, add:
    auth required pam_google_authenticator.so

    • vi /etc/ssh/sshd_config

  • Change the following:
    ChallengeResponseAuthentication yes
  • Change the following:
    UsePAM yes
  • Change the following:
    PubkeyAuthentication no

    • service sshd restart

    [4] Setup Google Authenticator for any user that will have access to the system (i.e. jdoe):
    su – jdoe
    google-authenticator
    + Note your “Secret Key”, “Verification Code”, and “Scratch Codes”.
    + Answer “y”, “y”, “n”, “y”.

    [5] Test SSH Login with the user configured (i.e. jdoe):
    + Setup the Google Authenticator on your Smart Phone
    + Launch an SSH session to login with “jdoe”
    + Enter the Verification Code from Google Authenticator (Smart Phone)
    + Enter your Linux password

    Posted in General, GNU/Linux, Security | Comments Off on Authenticate SSH with “Google Authenticator” OTP