OpenSSH Three factor Authentication using Google Authenticator and Public Key authentication

I use Google Authenticator on all of my Google account because it's a nice, efficient way to do multi-factor authentication for the great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra secure and use not only TOTP, but password based and RSA key authentication as well. All of the documentation I could find on doing so with OpenSSH was only on doing Google Authenticator's TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2 introduced the Authentication Methods argument. 

Setting up Google Authenticator

For this I am going to be using Ubuntu14.04 LTS, which makes setting up Google Authenticator really, really simple.

sudo apt-get install libpam-google-authenticator

Insanely difficult, I know. In this case, this only installs the PAM library on the server.

After that, we will instruct PAM to load the plugin by adding the following line to

/etc/pam.d/sshd 

auth required pam_google_authenticator.so

Finally, we need to tell OpenSSH to use the challenge response authentication, as well as force using multiple factors of authentication.

In /etc/ssh/sshd_config, find the ChallengeResponseAuthentication line to read as below:

ChallengeResponseAuthentication yes

We must also add the following lines:

UsePAM yes

AuthenticationMethods keyboard-interactive:pam,publickey

This will tell OpenSSH to enable PAM authentication, as well as requiring a private key from the person trying to authenticate to the server.

Now, su to the user, and run the google-authenticator command to create a Google Authenticator secret for that user. Note that you can use the same secret across multiple users if you'd like, but that kind of kills the purpose...

Now, restart the SSH service on the server and test the login.

sudo service ssh restart

A successful login should look like below.

 

Should an attacker somehow compromise both your password and your Google Authenticator, they will still require your public key, as shown below.

 

So now, in order to authenticate to the server via SSH, you will need your password, the password to the account, the private key, and, if you're feeling extra special, the passphrase to your private key. If you combine this method of authentication with other ways of securing your SSH server, like port-knocking or running fail2ban, you can certainly make SSH authentication much, much more secure than just needing a password to the account.

Is this overkill? Probably. Is this awesome? Certainly.

About the Author

Jonathan is an IT Security Engineer at ReliaQuest in Tampa, Florida.