Skip to content

Instantly share code, notes, and snippets.

@troyfontaine

troyfontaine/google-authenticator.md

Last active April 28, 2022 15:03
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save troyfontaine/926ed27a4fe1c17507fd to your computer and use it in GitHub Desktop.
Save troyfontaine/926ed27a4fe1c17507fd to your computer and use it in GitHub Desktop.
Download ZIP
Getting Google Authenticator working on Ubuntu for SSH Authentication
Raw
google-authenticator.md

Google Authenticator for SSH How-To

Installing the Google Authenticator pam package alone does not configure a system for 2 Factor Authentication when connecting via SSH.

Overview

The Google Authenticator package can be installed on Ubuntu via apt-get on Ubuntu 14.04.3 and later (that I've confirmed).

It provides a pam module that allows you to prompt a user for a code generated via a Google Authenticator app or other compatible TOTP app (such as 1Password). The script below enables the authenticator prompt when using ssh and password authentication.

A few things to keep in mind:

  • You cannot enable Google Authenticator for Public Key-based authentication at the same time as Password-based authentication
  • Always ensure you still have password auth enabled before attempting to use this with passwords
  • The script provided below has only been tested on Ubuntu 15.10
  • If you don't include nullok after calling the module in /etc/pam.d/sshd you will have to ensure all users are set up with the authenticator before they can connect
  • User accounts secured using authenticator won't work with SFTP or SCP tools (such as Transmit or FileZilla)
  • Run the script as sudo
  • Before you disconnect the ssh session you used to set things up, test from another session to ensure you haven't locked yourself out!
  • There are other tutorials that cover some of the caveats and provide detailed explanations
  • Ubuntu 15.10 includes libqrencode and will render a QR code in the terminal window that you can use with Google Authenticator or another app that supports TOTP

##Script to install Google Authenticator

#!/bin/bash

# Install Google Authenticator
sudo apt-get install -y libpam-google-authenticator

# Apply changes to sshd to enable the authenticator
sed -i \"s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g\" /etc/ssh/sshd_config

# Add to end of the sshd_config file (note this text will not highlight in Vim if you review-but it is effective)
# REQUIRED to allow public key auth while using google authenticator
#echo "AuthenticationMethods   publickey,keyboard-interactive" >> /etc/ssh/sshd_config

# Uncomment out the following line ONLY if you're not using password based auth for ssh and you want to use
# the authenticator with public-key authentication
#sed -i \"s/@include common-auth/#@include common-auth/g\" /etc/pam.d/sshd

sed -i "6 a # Google Authenticator with exception for users who are not enabled\nauth required pam_google_authenticator.so nullok" /etc/pam.d/sshd

# Restart SSH
service ssh restart

From the user login that you wish to use Google Authenticator, run the following command to generate the codes:

google-authenticator

Location of authenticator config file for each user:

~/.google_authenticator
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment