Setting up two way authentication (PubKey + Google Authentication)

Readme.md

Instruction for setting up two way authentication (PubKey + Google Authenticator)

==

Installing pam for google-authenticator

sudo yum install make gcc pam-devel

TOTP (timebased one-time-password) security tokens are time sensitive. Hence, make sure that your system has ntpd running, and is configured to start the service at boot:

sudo yum install ntp
sudo service ntpd start

Install google authenticator

sudo yum install epel-release
sudo yum install google-authenticator
sh automated_google_authenticator.sh #script is present on https://gist.github.com/vikas17a/57fab41584a75530e1a4

You will get url of QR-code open up scan the url from google-authenticator application and Verification code

Configuration changes required in sshd_config and pam.d/sshd

• In /etc/pam.d/sshd add following line on top
• auth sufficient pam_access.so accessfile=/etc/security/access-local.conf
• auth required pam_google_authenticator.so
• #Comment it auth include password-auth
• In /etc/ssh/sshd_config change following onfiguration
• UsePAM yes
• PubkeyAuthentication yes
• RequiredAuthentications2 publickey,keyboard-interactive
• ChallengeResponseAuthentication yes

Bypass group of users from two-factor authentication

• Append following configuration at bottom of sshd_conf

Match Group deploy
  RequiredAuthentications2 publickey

Restart sshd

sudo service sshd restart

To use the same authenticator verification code for another user on same machine or different machine

• Copy .google_authenticator from user1 home directory to home directory of user2 (user2 will use the same verification code as of user1)
• Change owner of .google_authenticator in home directory of user2
• Use chown -R user2:user2 .google_authenticator
• Change permission of .google_authenticator for user2 readonly with chmod 400 .google_authenitcator
• Now you can login with user2 using same QR code authentication code generator used by user1