21 August 2013

This is the second part of the tutorial. The first part is available here.

Step four: install the PAM OTP module

$ sudo make install

Step five: configure PAM to use the Google Authenticator OTP module

If you have SElinux enabled and patched the code as described above, add a call to the Google Authenticator PAM module in the PAM SSH configuration file as follow:

$ sudo sed -i -e '3iauth       required     pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator' /etc/pam.d/sshd

If you did not patch the file, use the following.

$ sudo sed -i -e '3iauth       required     pam_google_authenticator.so' /etc/pam.d/sshd

Step six: configure SSH to use PAM and ChallengeResponseAuthentication

The first change will ensure sshd calls the PAM hook which will activate the Google Authenticator module. Find the UsePAM directive and make sure it is set to ‘yes’

UsePAM yes

Next, we activate the ChallengeResponseAuthentication option.

ChallengeResponseAuthentication yes

Finally, you can decide to disable public key authentication method to force the users to always use One Time Password.

PubkeyAuthentication no

Step seven: Create pre-shared secret

Next we need to define a pre-shared secret between a user and the OTP device. In my case I will use the Google Authenticator smartphone application. So lets run the second component that was installed when you ran ‘make install’…


Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: XXXXXXXXXXXXXXXXX
Your verification code is 993048
Your emergency scratch codes are:

Do you want me to update your "/home/demo/.ssh/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

If libqrencode was found at compile time, a QR-code will also be displayed below the URL.

Step eight: configure the secret on your OTP devide

Different options:

  1. configure it manually or better…
  2. scan the QR-code if your OTP device can to it!

If no QR-code were displayed in your terminal, you can copy/paste the URL in your browser to generate one!

Step nine: if you have SElinux enabled…

If SElinux is enabled, fix the permission with the following command found here.

chcon -R -t ssh_home_t $HOME/.ssh/.google_authenticator

Step ten: debug?

If you have trouble, open another terminal and have a look to the log file while attempting to connect…

tail -f /var/log/secure

blog comments powered by Disqus