SSH in 2 steps on Linux with Google Authenticator
Article by Alessio bash, first published on his blog
Many security policies require you to change the port number of the SSH service to ensure greater security in a Linux system. Situation now used throughout the IT world and used mostly by users who have their own private server. Today I want to show you how to add another security layer without having to change the SSH port. To do this we’ll incorporate the famous Google Authenticator to our ssh service, in this way we’ll have a safe, two steps security, by entering our password and the combination given from the GA application. Let’s see how to do this…
The first step is to configure NTP on our Linux OS to have our time aligned with the Google servers.
Then download the application Google Authenticator for your mobile device:
DOWNLOAD for iPhone device
DOWNLOAD for Android device
Now get ready to install it on our Linux system.
As first step install the dependencies to be able to use the product correctly:
# apt-get install build-essential libpam0g-dev libpam0g make
For CentOSRHEL (you must have enabled EPEL repo as described HERE)
# yum –enablerepo=epel install gcc gcc++ pam-devel subversion python-devel git
For ArchLinux (if necessary)
# pacman -Sy pam wget
Now complete the installation of dependencies with the compilation of the required library. Download the library with the command:
# wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 -O googleauth.tar.bz2
extract the contents:
# tar -xf googleauth.tar.bz2
enter into the new directory:
# cd libpam-google-authenticator-1.0/
Edit the makefile with your favorite editor:
# nano Makefile
And here add, immediately after the directive ”VERSION := 1.0“, the row “LDFLAGS=”-lpam“”:
VERSION := 1.0
At this point, save the file and launch the build commands:
# make && make install
If the installation is successful you can remove the downloaded files with commands:
# cd ..
# rm -rf googleauth.tar.bz2 libpam-google-authenticator-1.0/
At this point we can run the following command for the first configuration of the software:
you will be prompted with the following question:
Do you want authentication tokens to be time-based (y/n)
reply “y” and press Enter.
Read more at Linux Aria
Comments are closed.