Hello Friends, I am again come up with a new post. In this post, I will show you how you can secure your SSH login with Google Auth. Securing your SSH login with Google Authenticator creates an extra security layer for your server.
We all know that we log in (SSH) to our server in 2 ways. The first way is: password authentication (using your user password) and the second way is: passwordless authentication (using SSH keys, like public & private key combination.
In this post, I will discuss password authentication to the server along with authenticator (extra security layer).
How to achieve Google authentication in the server?
We will achieve this in the following steps:
- Download Google authenticator.
- Configure Google authenticator to work with SSH
- Modify SSH to work with the Google authenticator
- Configure SSH to require both the Google authenticator and key
Install and Initialize the Google Authenticator:
We will install Google Authenticator in the server by following commands:
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[cloud_user@BeAnExpert .ssh]$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm [sudo] password for cloud_user: Last metadata expiration check: 0:07:27 ago on Sat 08 Aug 2020 10:46:00 AM UTC. epel-release-latest-7.noarch.rpm 57 kB/s | 15 kB 00:00 Dependencies resolved. =============================================================================================================================================== Package Architecture Version Repository Size =============================================================================================================================================== Installing: epel-release noarch 7-12 @commandline 15 k Transaction Summary =============================================================================================================================================== Install 1 Package Total size: 15 k Installed size: 24 k Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : epel-release-7-12.noarch 1/1 Running scriptlet: epel-release-7-12.noarch 1/1 Verifying : epel-release-7-12.noarch 1/1 Installed: epel-release-7-12.noarch Complete!
sudo yum install google-authenticator
[cloud_user@BeAnExpert .ssh]$ sudo yum install google-authenticator Extra Packages for Enterprise Linux 7 - x86_64 23 MB/s | 16 MB 00:00 Last metadata expiration check: 0:00:05 ago on Sat 08 Aug 2020 10:57:49 AM UTC. Dependencies resolved. =============================================================================================================================================== Package Architecture Version Repository Size =============================================================================================================================================== Installing: google-authenticator x86_64 1.04-1.el7 epel 48 k Transaction Summary =============================================================================================================================================== Install 1 Package Total download size: 48 k Installed size: 97 k Is this ok [y/N]: y Downloading Packages: google-authenticator-1.04-1.el7.x86_64.rpm 748 kB/s | 48 kB 00:00 ----------------------------------------------------------------------------------------------------------------------------------------------- Total 221 kB/s | 48 kB 00:00 warning: /var/cache/dnf/epel-a56bdfa2f5efdfb9/packages/google-authenticator-1.04-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Extra Packages for Enterprise Linux 7 - x86_64 1.6 MB/s | 1.6 kB 00:00 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <epel@fedoraproject.org>" Fingerprint: 91E9 7D7C 4A5E 96F1 7F3E 888F 6A2F AEA2 352C 64E5 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Is this ok [y/N]: y Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : google-authenticator-1.04-1.el7.x86_64 1/1 Running scriptlet: google-authenticator-1.04-1.el7.x86_64 1/1 Verifying : google-authenticator-1.04-1.el7.x86_64 1/1 Installed: google-authenticator-1.04-1.el7.x86_64 Complete!
Google authenticator has been installed successfully. Now we will setup the Google authenticator in the server. Execute the below command and follow the instructions.
google-authenticator
[cloud_user@BeAnExpert .ssh]$ google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/cloud_user@BeAnExpert.co.in%3Fsecret%XXXXXXXXXXXXXXXXXXXXXXXXXX%26issuer%3DBeAnExpert.co.in Failed to use libqrencode to show QR code visually for scanning. Consider typing the OTP secret into your app manually. Your new secret key is: XXXXXXXXXXXXXXXXXXXXXXXXXX Your verification code is 805649 Your emergency scratch codes are: 590034562 643525434 904546771 739143772 723754546 Do you want me to update your "/home/cloud_user/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y [cloud_user@BeAnExpert .ssh]$
Now you can use the secret key (that you got from the above configuration) in your Google Authenticator to create a setup for auth. You can also scan the QR code by clicking on the Google URL that you got during setting up google-authenticator. Once it is set up the Google Auth, we will modify SSH configuration file.
Modify SSH configuration:
Now we will modify SSH configuration “/etc/ssh/sshd_config” to accept the Google Auth key and pub key when login to the server. Add the below lines in the SSH configuration file (Search for “PasswordAuthentication” and set it to “yes” and “PubkeyAuthentication” to “no“) and one extra line (AuthenticationMethods publickey,keyboard-interactive)
PubkeyAuthentication no PasswordAuthentication yes AuthenticationMethods publickey,keyboard-interactive
Further, we will go to “/etc/pam.d/sshd” and will add the below line. This is the most important steps in setting the Google Auth for SSH access.
auth required pam_google_authenticator.so
Now, we will restart the SSH service to make the above changes.
sudo systemctl restart sshd
Now try to login to the server, it will ask for “Verification code”.
.ssh $ ssh cloud_user@34.228.208.150 Password: Verification code: This system is not registered to Red Hat Insights. See https://cloud.redhat.com/ To register this system, run: insights-client --register Last login: Sat Aug 8 11:17:19 2020 from XX.XXX.XX.XXX [cloud_user@BeAnExpert ~]$
If you do not want password authetication and want to enable password less authetication, you can go through the post: Establish a password-less SSH connection between servers
Try to set up this in your server and implement an extra security layer to your SSH. Feel free to comment in the below comment section, if you face any issue in setting this up. I also request you to share your valuable feedback regarding the post.
Thank you! 🙂
My name is Shashank Shekhar. I am a DevOps Engineer, currently working in one of the best companies in India. I am having around 5 years of experience in Linux Server Administration and DevOps tools.
I love to work in Linux environment & love learning new things.
Powered by Facebook Comments
Awesome Explanation.
Thanks :). I am glad you liked it.