Two factor authentication is a method of ensuring that a user has a physical device in addition to their password when logging in to some service. This works by using a time (or counter) based code which is generated by the device and checked by the host machine. Google provides a service which allows one to use their phone as the physical device using a simple app.
This service can be easily configured and greatly increases the security of your host.
- There is only one: the Google-Authenticator software itself:
# pkg install pam_google_authenticator
On older FreeBSD intallations you may use:
# pkg_add -r pam_google_authenticatorOn Debian derived systems use:
# apt-get install libpam-google-authenticator
User configurationEach user must run "google-authenticator" once prior to being able to login with ssh. This will be followed by a series of yes/no prompts which are fairly self-explanatory. Note that the alternate to time-based is to use a counter. It is easy to lose track of which number you are at so most people prefer time-based.
$ google-authenticator Do you want authentication tokens to be time-based (y/n) ...Make sure to save the URL or secret key generated here as it will be required later.
Host ConfigurationTo enable use of Authenticator the host must be set up to use PAM which must be configured to prompt for Authenticator.
Edit the file /etc/pam.d/sshd and add the following in the "auth" section prior to pam_unix:
auth requisite pam_google_authenticator.so
- Edit /etc/ssh/sshd_config and uncomment
Reload ssh config
- Finally, the ssh server needs to reload its configuration:
# service sshd reload
Configure the device
- Follow the instructions provided by Google to install the authentication app and setup the phone.
That is it. Try logging into your machine from a remote machine nowThanks bcallah for proof-reading this post.