Use Google Authenticator For Two-Factor SSH Authentication in Linux

We've been using libpam-google-authenticator for a while on all our servers, it's part of our base Chef configuration.<p>Our setup is that key based authentication works as normal, but if you want to use a password based authentication, you need to 2-factor auth.<p>This approach allows us to maintain security without losing the ability to go "Oh no I'm somewhere without any of my private keys and I really need to log into that server to fix this production error!"

It would be great if this was supported along with key based authentication. Using the PAM method outlined here works only with password based authentication and the TFA is completely bypassed when a key is used.<p>I researched this a few months back and was not able to find a clean way to add TFA to a key based login. Any suggestions from other HN readers?

I don't get it why standard TOTP is suddenly Google something. Afaik, it has nothing at all to do with Google. Except adding Google something make it sound better? Maybe if I use TOTP app with my iPhone then i get really cool Apple iAuth?

rather <a href="http://motp.sourceforge.net/" rel="nofollow">http://motp.sourceforge.net/</a><p>According to the gauth “disclaimer” on the website, the recent versions of the Android app are proprietary: the most recent on Google Play is from February 13. It’s hard to tell if there will be any more commits to that repo.<p>Fork: kaie/otp-authenticator-android <a href="https://github.com/kaie/otp-authenticator-android" rel="nofollow">https://github.com/kaie/otp-authenticator-android</a>

There's quite a few PAM modules like this for SSH authentication. Another one I was trialling for a few weeks sometime last year was captcha codes (basically written in ASCII art) to prevent automated attacks. Sadly it quickly became more of a nuisance as keys and/or fail2ban/denyhosts/etc already do a better job of that and don't have the downside of an annoying additional verification stage.

I would highly recommend using DuoSecurity for all your 2-Factor Authentication needs. Their solution is very slick, easy to use, and intuitive. Duo has options for every conceivable situation a user might get themselves into including Push Notifications, SMS codes, saved bypass codes via SMS, static bypass codes, phone calls, and hardware keys including YubiKey support. Additionally, they have APIs that expose any of the data/functionality you wish and native language support including Python. You can drop in their plugin to protect WordPress with a couple clicks, add support to your internal applications via Duo Web, protect your Splunk install, SSH connections, SSL VPN, and a ton of other possibilities. Also, they have a freemium model where your first 10 accounts are always free.

Better yet, check out Duo Security: <a href="https://www.duosecurity.com/" rel="nofollow">https://www.duosecurity.com/</a><p>It's free for individuals, and they even answer support emails ;)<p>(Undisclaimer: I have no interest in the company, just a fan)

Nice idea. However, would there be any security enhancements over using key based authentication where all clients have full disk encryption on them? The only thing I imagine this protecting against (when using key based auth) is if my laptop were to be stolen, which is already protected by the full disk encryption. Am I missing something or is this primarily for password auth?<p>I suppose automated deploy scripts could also be modified to accept an authenticator code as a parameter too.

outside of desktop, if you're building a webapp, you should check out Prove.<p>we have a similar script to Stripe such that you can drop in a complete JS widget in seconds with your public API key.<p><pre><code> &#60;form action="/verify" method="post"&#62; &#60;script src="//getprove.com/v1/verify.js" data-callback="/verified.html" data-key="YOUR-API-PUBLIC-KEY" class="prove-verify"&#62;&#60;/script&#62; &#60;/form&#62; </code></pre> <a href="https://getprove.com" rel="nofollow">https://getprove.com</a><p>(plug)

Two factors is better than one, but people are at risk of their Android phones being compromised too, maybe as much as most Linux boxes. If your phone is not fresh off the assembly line, you're surfing the web with ancient unpatched WebKit and an OS that has a zillion unpatched local root bugs. If you use a password storage app on your phone, that's both factors on it...

I have a blog post on how to enable google auth with openvpn<p><a href="http://zcentric.com/2012/10/09/google-authenticator-with-openvpn-for-2-factor-auth/" rel="nofollow">http://zcentric.com/2012/10/09/google-authenticator-with-ope...</a>

Please fix your blog so it doesn't disable zooming on iPads (and possibly other devices). There is no good reason for doing it and it prevents some people from reading what you wrote.

Anyone happen to know what lib is used to generate the QRCode in the terminal?

This isn't specific to Linux. Titles like this are off-putting to users of other open source OSes.