Many security policies require you to change the port number of the SSH service to ensure greater security in a Linux system. Situation now obvious throughout the IT world and used mostly by users who have their own private server. Today I want to show you how to add another security policies without having to change the SSH port. It is to incorporate the famous Google Authenticator to ssh service, in such a way as to have a safe, two steps, namely, by entering his password from the application date plus the combination GA Let’s see how to do this…
The first step is to configure NTP on our Linux OS for a time aligned with the Google servers.
So get ready to install on our Linux system.
We install the dependencies to be able to operate the product correctly:
# apt-get install build-essential libpam0g-dev libpam0g make
For CentOS\RHEL (have enabled EPEL repo as described HERE)
# yum --enablerepo=epel install gcc gcc++ pam-devel subversion python-devel git
For ArchLinux (if necessary)
# pacman -Sy pam wget
Completed installation of dependencies proceed with the compilation of the required library. We unload the library with the command:
# wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 -O googleauth.tar.bz2
extract the contents:
# tar -xf googleauth.tar.bz2
enter into directory:
# cd libpam-google-authenticator-1.0/
Edit the makefile with your favorite editor:
# nano Makefile
We add, immediately after the directive ”VERSION := 1.0“, the row “LDFLAGS=”-lpam“”:
VERSION := 1.0
At this point, save the file and launch the build commands:
# make && make install
If the installation is successful term we remove the downloaded files with commands:
# cd ..
# rm -rf googleauth.tar.bz2 libpam-google-authenticator-1.0/
At this point we can run the command to the first configuration:
once launched we will be asked:
Do you want authentication tokens to be time-based (y/n)
reply “y” and press Enter.
At this point you will see a output like this:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@myserver%3Fsecret%3D3LXXXXXXXXXXXX Your new secret key is: 3LOXXXXXXXXXXXX Your verification code is 722511 Your emergency scratch codes are: 83222658 89225401 50442214 61802255 22629775 Do you want me to update your "/root/.google_authenticator" file (y/n)
copy the link: https://www.google.com/chart?chs=200×200&…. and incolliamolo in the address bar of our browser, making it appear the qrcode.
Open the application G.A. on our mobile, we go on ”Menu” -> “Configure Account”
Later on we TAB ”Read barcode”
We place the smartphone on the screen to read the bar code and generate access codes.
Appears immediately after the entry for your server (eg: root@hostname):
At this point, the application is ready, we go back on our Linux system and continue the configuration. We left the question:
Do you want me to update your "/root/.google_authenticator" file (y/n)
re-reply “y” to this and other questions.
At this point there is nothing left to do but to edit the pam configuration file with your favorite editor:
# nano /etc/pam.d/sshd
and add to the end of the file:
auth required pam_google_authenticator.so
saved and changed the sshd_config configuration file with your favorite editor:
# nano /etc/ssh/sshd_config
modifying the item to be:
save and restart the sshd service with the command:
# service ssh restart
# service sshd restart
# systemctl restart sshd
At this point, if all went well, we try by connecting to the server through ssh:
To enable the same code on other users of the system just copy the file /root/.google_authenticator in your user’s home. While if you want a token to user just relaunch the command google-authenticator with the desired user.
That’s all!!! See you soon!!!