Saturday 13 August 2011

How to use Google Authenticator in Debian Wheezy

Google have [released a PAM for the Google
which can use used together with its mobile app to provide two-step
authentication for linux-based systems.

Note that this uses the same mobile app as for [2-step
which you may already use for GMail and other Google Apps.

This document describes how to set up two-step authentication using
the Google Authenticator PAM on a Debian Wheezy system.  It should be
possible to modify these instructions for other linux variants and
older versions of Debian linux but Wheezy is convenient since there is
already a `libpam-google-authenticator` package.

## Installation on the phone

If you are using Android, install the [Google Authenticator App from

Google Authenticator is available for other platforms too.  It's
currently available for iOS and Blackberry.  See the
project page for apps for other mobile platforms.

## Installation on the server

Tip: before you start tinkering with pam settings for ssh, make sure
you have an alternative way into your system, such as a serial console
or a keyboard+monitor.  I.e. if your machine is in some remote
colocation facility and all you have is ssh access, you should be
pretty confident you know what you are doing.

Install the Google Authenticator package

    sudo apt-get install libpam-google-authenticator

Generate a key and the emergency login codes. (Each user needs to do
this and after you have enabled the PAM, those users who have not
generated a key will not be able to log in any more.)


This will print a QR code in your ANSI terminal.  Scan this QR code
using the mobile app to send the secret to the App on your phone.

It will also list six emergency login codes which can be used in case
you do not have your phone available.  Keep a hard copy of these codes
in a safe place such as your wallet.

Create a `/etc/security/access-local.conf` to allow connections from
subnet (edit to suit) to skip the two-step code:

    cat <<EOF | sudo tee /etc/security/access-local.conf
    # only allow from local IP range
    + : ALL : LOCAL
    + : ALL : ${LOCAL_SUBNET}
    - : ALL : ALL

Edit `/etc/pam.d/ssh` by appending two `auth` lines to the end of the

    cat <<EOF | sudo tee -a /etc/pam.d/ssh
    # skip one-time password if logging in from the local network
    auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf
    auth required

If you want two-step authentication for _all_ ssh connections no
matter the source IP address, you only need the last `auth` line from
above (and you can skip creating the `/etc/security/local-access.conf`

Finally, make sure in `/etc/ssh/sshd_config` the following is enabled

    ChallengeResponseAuthentication yes

This was `no` on my freshly installed Wheezy system.

## Further information

   * [Google Authenticator project page on Google
   * [PAM Installation