Two-Factor Authentication & How to Enable on SSH

Converted from Blogger. Please excuse any layout errors!
If you ever managed a linux server, chances are you logged into it with Secure Shell. SSH is a vital service to manage hosts remotely. There are ways to secure this by using strong passwords and bruteforce prevention. SSH can use public/private keys to login without a password. Keys are a convenient and secure way of connecting to and SSH server. Two-factor adds to that security. Personally, I use keys to login to my server, but when I'm not using keys it passes over to password & a time-based code.


A Quick Introduction to Two-Factor Authentication

Two-factor authentication provides and additional means of identifying a user when logging into a service. It is becoming evident that just a username & password is not enough.

Two factor would be:
what you know
what you have
what you are
-Pick two-
ex.   "what you know" (like a password) and "what you have" (like your phone).


Two-factor is generally a password and a time-dependant code. There are others, like push messages, phone calls, asymmetric keys+push (twitter),

Two-factor is gaining popularity among web services. A few years ago you had to acquire a dongle that generated a time-based code. Now with smartphones, there are free apps to accomplish this.

Depending on the security settings, some services require you type in a code everytime you try to login or only when logging in from a new device.

Two-factor is not an end all solution to security. You should still use strong passwords. Two-factor does leave room for man-in-the-middle or man-in-the-browser attacks. Also your phone could be compromised and your two-factor could be hijacked.


How to Enable Two-Factor on SSH

Package:
sudo apt-get install libpam-google-authenticator
yaourt google-authenticator-libpam-git
source from: https://code.google.com/p/google-authenticator/

Now run "google-authenticator" as the user you want to generate a key for.

It even gives you a url for a nice QR code to scan.



Add the code to your smartphone using the Google Authenticator app



Next you have to setup Google Authenticator for SSH logins. 

Open the /etc/pam.d/sshd file on your system 
sudo nano /etc/pam.d/sshd and add the following line to the file:
auth required pam_google_authenticator.so
Open the /etc/ssh/sshd_config file, go to the ChallengeResponseAuthentication line, and change it to:
ChallengeResponseAuthentication yes
(If the ChallengeResponseAuthentication line doesn’t exist, add it.)
Restart the SSH server, these commands depend on your distribution:
sudo service ssh restart
systemctl restart sshd


It should work now!


Backup your Google Authenticator


Google Authenticator is a great app. A QR code is generated, you scan it with your phone, then it's added to your google auth app.

To backup google auth:
cp /data/data/com.google.android.apps.authenticator/databases/databases /sdcard
(This location may vary. But it's in the general area)

Then use sqlite to pull the data. Or cat the file.
sqlite3 ./databases
sqlite> select * from accounts;