Simple Two-Factor SSH Authentication

As noted alsewhere, ForceCommand is a nicer option, and can be done with something like this in sshd_config:<p><pre><code> Match group yubikey # ForceCommand /usr/local/bin/yubikey.sh ForceCommand /usr/local/bin/mobileverification.sh </code></pre> The commented out script is something I wrote to authenticate Yubikeys - see <a href="http://yubico.com/yubikey" rel="nofollow">http://yubico.com/yubikey</a><p>And the mobileverification.sh sends a randomly generated 4 digit pin code to the phone number that user has saved in ~/.ssh/mobile_number and asks them to enter it.<p>Edit: in case anyone is interested, mobileverification.sh at <a href="http://pastie.org/pastes/2579517/text?key=tv1xciwdubnwi165fzaksa" rel="nofollow">http://pastie.org/pastes/2579517/text?key=tv1xciwdubnwi165fz...</a> and yubikey.sh at <a href="http://pastie.org/pastes/2579528/text?key=krpmwrivbvrjmx0xb3smq" rel="nofollow">http://pastie.org/pastes/2579528/text?key=krpmwrivbvrjmx0xb3...</a><p>Edit2: It's worth pointing out that both those scripts were written fairly quickly by me, for basic personal use. If you want to use them I would recommend going through them and making sure I didn't screw anything up.

If you're running a recent version of OpenSSH, you can add the 'ForceCommand' param to sshd_config to add it for all users. The only downside to this is it is for <i>all users</i>, so if you run something that needs to use key based login without the two factor method you'll need to validate that yourself within the script.

GRC's Perfect Paper Passwords works well for me (<a href="https://www.grc.com/ppp.htm" rel="nofollow">https://www.grc.com/ppp.htm</a>). It's similar to Last Pass's Grid authentication but less obnoxious IMO. One member of the GRC newsgroups has written a PAM which has served all of my 2FA needs (<a href="http://code.google.com/p/ppp-pam/" rel="nofollow">http://code.google.com/p/ppp-pam/</a>).

A while back I wondered how hard it would be to integrate two-factor authentication on a web site using Google's Authenticator app, since it uses open protocols and is available on all platforms. Turns out it's incredibly easy. Even made a demo: <a href="http://dendory.net/twofactors/" rel="nofollow">http://dendory.net/twofactors/</a>

This is cool. I'd also like to point out the PAM module: <a href="http://code.google.com/p/google-authenticator/source/browse/libpam/" rel="nofollow">http://code.google.com/p/google-authenticator/source/browse/...</a>

I was using the command="" stuff to restrict a user to only running rsync the other day and was considering writing the script in ruby as was done here. Does anyone have any opinion on how safe that is? The client shouldn't have that many ways to interact with the ruby process but I was still wondering if I should stick to something smaller like /bin/sh (not even bash) for safety.

What a great solution. I will use it, but...<p>I guess I found a serious security problem.<p>When logging ssh commands with '-vT', I can see the secret. The secret should be hard coded in the two_factor script.

if you exec the shell on your own (and make auth decisions on your own) outside of PAM you are basically destroying meaningful logging of successful/unsuccessful authentication, right?

Could a user bypass this by using: ssh user@host.com -Tv 'bash' ?

In the authorized_keys script, if instead of exec()ing SHELL you use SSH_ORIGINAL_COMMAND you won't break "ssh myhost &#60;command&#62;"

Beware that this may break apps that use SSH as a transport protocol (like rsync and mercurial, depending on your setup of course).

+ port knocking via knockd and running sshd on a diff port is good.

I got a certificate warning when opening the page.