Installing the Google Authenticator pam package alone does not configure a system for 2 Factor Authentication when connecting via SSH.
The Google Authenticator package can be installed on Ubuntu via apt-get on Ubuntu 14.04.3 and later (that I've confirmed).
It provides a pam module that allows you to prompt a user for a code generated via a Google Authenticator app or other compatible TOTP app (such as 1Password). The script below enables the authenticator prompt when using ssh and password authentication.
A few things to keep in mind:
- You cannot enable Google Authenticator for Public Key-based authentication at the same time as Password-based authentication
- Always ensure you still have password auth enabled before attempting to use this with passwords
- The script provided below has only been tested on Ubuntu 15.10
- If you don't include nullok after calling the module in /etc/pam.d/sshd you will have to ensure all users are set up with the authenticator before they can connect
- User accounts secured using authenticator won't work with SFTP or SCP tools (such as Transmit or FileZilla)
- Run the script as sudo
- Before you disconnect the ssh session you used to set things up, test from another session to ensure you haven't locked yourself out!
- There are other tutorials that cover some of the caveats and provide detailed explanations
- Ubuntu 15.10 includes libqrencode and will render a QR code in the terminal window that you can use with Google Authenticator or another app that supports TOTP
##Script to install Google Authenticator
#!/bin/bash
# Install Google Authenticator
sudo apt-get install -y libpam-google-authenticator
# Apply changes to sshd to enable the authenticator
sed -i \"s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g\" /etc/ssh/sshd_config
# Add to end of the sshd_config file (note this text will not highlight in Vim if you review-but it is effective)
# REQUIRED to allow public key auth while using google authenticator
#echo "AuthenticationMethods publickey,keyboard-interactive" >> /etc/ssh/sshd_config
# Uncomment out the following line ONLY if you're not using password based auth for ssh and you want to use
# the authenticator with public-key authentication
#sed -i \"s/@include common-auth/#@include common-auth/g\" /etc/pam.d/sshd
sed -i "6 a # Google Authenticator with exception for users who are not enabled\nauth required pam_google_authenticator.so nullok" /etc/pam.d/sshd
# Restart SSH
service ssh restart
From the user login that you wish to use Google Authenticator, run the following command to generate the codes:
google-authenticator
Location of authenticator config file for each user:
~/.google_authenticator