Quantcast
Linux Hacks

Linux Hack of the Week #9: Using Google Authenticator for 2FA

The implementation of two-factor authentication (2FA) is one of the simplest ways to make a huge improvement in the security of your systems. There are a number of ways to implement it such as email, text messages, and applications. Google has done a great job of creating a two-factor authentication app that can be integrated into a number of different applications.

In this week’s hack, I’ll lay out the steps needed to configure 2FA for use with SSH on Linux servers. Google provides a module to use with the Linux Pluggable Authentication Module (PAM) framework.

Installation

First, you will want to install the Google Authenticator app on your mobile device. This can be found in the app store on your device:

For this demo, I am using Fedora 28. With any luck, all of these steps should work on Red Hat, CentOS, and Fedora. To install the module run:

[joe@fedora28 ~]$ sudo dnf install google-authenticator

Next, configure the application by running google-authenticator:

It will print a QR code out on the console to scan with the mobile application. You can also manually enter the codes printed out, but I find scanning always works.

Configuration

Now, you will need to update PAM to require 2FA for ssh connections. Edit the file /etc/pam/sshd:

[joe@fedora28 ~]$ vi /etc/pam.d/sshd

Add the option:

auth       required  pam_google_authenticator.so nullok

What the option nullok does is allow users without 2FA to login and create their QR code and initialize the Google Authenticator app. Once all users have configured the app, remove nullok:

Next, edit /etc/ssh/sshd_config and change the option ChallengeResponseAuthentication from no to yes:

Now, restart sshd and try to connect, it will prompt you for a verification code. This is a six digit code found in the Google Authenticator app:

[joe@fedora28 ~]$ sudo service sshd restart

[joe@fedora28 ~]$ ssh you@localhost

Conclusion

With that simple configuration change, you have now added significant improvements in security to your Linux hosts. Did you know that the Automox console supports 2FA? It is as simple as turning on the option in the UI. Check out this blog post for a quick walkthrough of the two different types of 2FA Automox supports. As always, if you have any questions feel free to reach out: mcmanus@automox.com.

About Automox

Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third-party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.

Joe McManus, CISO

Author Joe McManus, CISO

Joe is a Senior Cyber Security Researcher at CERT and a Professor at the University of Colorado College of Engineering where he teaches graduate courses in information security and forensics. Recently, Joe was the Director of Security at SolidFire, (acquired by NetApp [NTAP]). He is an avid cyclist, climber and leads the Automox security team.

More posts by Joe McManus, CISO

Leave a Reply