Wednesday, March 07, 2012

Google Authenticator as a Backup for ssh Keys

I've really been loving Google Authenticator as a method for securing htaccess sites. I was curious if I could put it work in yet another tricky context. Usually, I set sshd on my servers to disallow password entry and rely solely on ssh keys. The problem is, occasionally I'll want to log in from a location where I don't have easy access to my keys. I started wondering how tricky it would be to use Google Authenticator as a backup. That is, if I have a key, use it, otherwise go through the dance of both a password and a one time use Google Authenticator password.

Turns out, it's not particularly tricky at all. Here's what you need to do:

  1. Install the Google Authenticator package, includes a the appropriate pam module. For me, this was as easy as running: sudo yum install google-authenticator.
  2. Setup up your .google_authentactor file and cell phone, as described here.
  3. Edit /etc/pam.d/sshd and set the first two lines to be:
    #%PAM-1.0
    auth       required pam_google_authenticator.so
    
  4. Edit /etc/ssh/sshd_config and make sure the following are setup:
    ChallengeResponseAuthentication yes
    UsePAM yes
    PasswordAuthentication yes
    
  5. Restart sshd

Now, when I ssh with keys (or an agent), I get in as usual. But, if I don't have keys, it kindly prompts me for the one Google Authenticator code and my regular regular password.

Amazingly slick, if I do say so myself.

No comments:

Post a Comment