Linux.com

Community Blogs



Securing SSH with two factor authentication using Google Authenticator

Securing SSH with two factor authentication using Google Authenticator

Two-step verification (also known as Two-factor authentication, abbreviated to TFA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of a multi-factor authentication which might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inheritance factor) for both steps. If each step involves a different authentication factor then the two-step verification is additionally two-factor authentication.
Link to original post: http://www.blackmoreops.com/2014/06/26/securing-ssh-two-factor-authentication-using-google-authenticator/

Google’s two-step verification process

Google was one of the first Internet companies to introduce a two-step verification process. To access a Google service using the two-step verification process, a user has to go through the following two stages:

The first step is to log in using the username and password. This is an application of the knowledge factor.
The implementation of the second step requires a mobile phone or the Google Authenticator application, which is an application of the possession factor.

If the user opts to use a mobile phone, he/she has to register his/her phone number with Google. When one attempts to authenticate with username and password, Google will send via SMS a new, unique code to the phone. Receiving the SMS demonstrates that the user has the phone (or, in the case of GSM like networks the appropriate SIM chip).

If the user opts to use the Google Authenticator (or another supported code generator application), he/she simply opens the application, which generates a new code every 30 seconds. This code is to be entered to complete the log in process. As a backup option in case the registered mobile phone or device running Google Authenticator is lost, stolen, or otherwise unavailable, the user can print a set of static single-use backup codes (also the knowledge factor) and store them in a safe place.

The following are some other sites which offer two-step verification service:

  1. Amazon Web Services
  2. ANX
  3. App.net
  4. Apple ID
  5. Authy
  6. Battle.net
  7. Bitstamp
  8. Blockchain.info
  9. Box
  10. Dropbox
  11. eBay
  12. Etrade
  13. Evernote
  14. Facebook
  15. GitHub
  16. GoDaddy
  17. HootSuite
  18. Lastpass
  19. LinkedIn
  20. LocalBitcoins
  21. Microsoft
  22. MongoLab
  23. Namecheap
  24. PayPal
  25. SocialFlow
  26. timetotrade
  27. Tumblr
  28. Twitter
  29. Viaduct
  30. WordPress
  31. Yahoo! Mail
  32. innoview.gr
  33. zoho

Google Authenticator

Google Authenticator implements TOTP security tokens from RFC6238 in mobile apps made by Google, sometimes branded “two-step authentication”. The Authenticator provides a six digit one-time password users must provide in addition to their username and password to log into Google services or other sites. The Authenticator can also generate codes for third party applications, such as password managers or file hosting services. Some versions of the software are open source.
[Source: WikiPedia]

14 - Securing SSH with two factor authentication using Google Authenticator - blackMORE Ops

Note: Google Authenticator doesn’t “call home” to Google — all the work happens on your SSH server and your phone. Google Authenticator is a open-source software, that means you can check the codes yourself. I guess after what happened with openSSL, that’s not a bad idea after all.

In this article I will demonstrate how to secure SSH by setting up Two Factor Authentication (TFA) with Google Authenticator for the following Linux operating systems:

  1. Debian
  2. Ubuntu
  3. Linux Mint
  4. Kali Linux
  5. Red Hat
  6. CentOS
  7. Fedora

Google Authenticator can be used in the following smartphones:

  1. Android,
  2. iOS and
  3. Blackberry.

I am not too sure if you can use this on a Windows Based phone (i.e. new Nokia phones or Windows Mobiles devices). Feel free to try and report back.

App Download Links as follows:

  1. Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
  2. iOS: https://itunes.apple.com/au/app/google-authenticator/id388497605?mt=8
  3. Blackberry: http://www.google.com/mobile/other

More detailed per device install instructions can be found on this page:
https://support.google.com/accounts/answer/1066447?hl=en

The implementation is exactly same except for some package name differences. So you can implement this in any Linux Operating System that uses these packages.

Requirements

Followings are the requirements for using Google Authenticator on your system:

  1. A PC running Linux
  2. A smartphone
  3. A running SSH server on your machine.

In case you don’t have SSH server running, just follow this guide to install openSSH server.

Step 1: Install dependencies for Google Authenticator Module

You need to have either root or sudo privileges on the machine where you want to secure SSH by enabling Two Factor Authention using Google Authenticator. Login to your machine and use the following commands to install required dependency packages:

On Debian, Kali, Ubuntu, Linux Mint (they all are Debian based system that uses aptitude as package manager i.e. apt-get/aptitude)

apt-get install libpam0g-dev

1 - Install dependencies for Google Authenticator PAM module - blackMORE Ops

On Red Hat, CentOS and Fedora (they all are RedHat based where you use yum as the package manager):

yum install pam-devel

That’s it. That should install the necessary dependencies on your system. In case you have a very restricted system where you dont have GCC, make and wget, you can install them using the following command(s):

yum install make gcc wget
(or)
apt-get install make gcc wget
 

Step 2: Download Google Authenticator Module

Google Authenticator is available on GoogleCode website.

Link: https://code.google.com/p/google-authenticator/

You can just copy paste the codes below to download and extract Google Authenticator codes. I personally use Kali Linux, that means I am always logged in as root user, if you’re using any of the other Linux distributions like Debian, Ubuntu, Linux Mint, Red Hat, CentOS or Fedora where you don’t usually login as root user, then you should choose your own directory to download and extract these codes.

To download Source code of the Google Authenticator PAM library module use the following command:

root@kali:~# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

At the time of writing this article, v1.0 was available.

2 - Download Google Authenticator PAM module from GoogleCode - blackMORE Ops

Now extract your tarball:

root@kali:~# tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

Change directory to the extracted folder:

root@kali:~# cd libpam-google-authenticator-1.0/

3 - Extract Google Authenticator PAM module from GoogleCode - blackMORE Ops

Step 3: Compile and Install Google Authenticator PAM module

So far we’ve installed dependencies, downloaded and extracted Google Authenticator PAM module. Now we need to compile the codes and install compiled software on our system.
use the following command to compile your downloaded source codes:

root@kali:~/libpam-google-authenticator-1.0# make

4 - Compile extracted Google Authenticator PAM module from GoogleCode - blackMORE Ops

Now install Google Authenticator PAM module on your system:

root@kali:~/libpam-google-authenticator-1.0# make install

5 - Install compiled Google Authenticator PAM module from GoogleCode - blackMORE Ops

Step 4: Run and configure Google Authenticator

Just run Google Authenticator PAM module from command line to configure it for your system:

Run Google Authenticator PAM module using the following command:

root@kali:~/libpam-google-authenticator-1.0# google-authenticator

It should present you with bunch of question where you get to choose Y or N . Let’s have a quick look at those questions and the outputs.

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@kali%3Fsecret%3DWKHM6UVJNTPYSPTQ
Your new secret key is: WKHM6UVJNTPYSPTQ
Your verification code is 434260
Your emergency scratch codes are:
  30287010
  70585905
  68748337
  15176712
  38041521

So on your first question, you get a secret key, Your new secret key is: WKHM6UVJNTPYSPTQ and 5 emergency scratch codes. You use the emergency key on your mobile so that you can get the correct verification code next time you login. Emergency codes are used when you’ve lost your mobile.
Next it asks you if you want to use this for your root account? Me being root users, I’ve chosen Yes.

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Next up, it asks you if you want to disallow multiple uses of the same verification code. Unless you have a good reason not to, choose Yes.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Next part is time based login. From the point of getting the code on your mobile to typing in to your login prompt, 30 seconds should be more than enough. If you’r time sync is bad on your system or you’ve giving the code to someone over phone or you are a VERY slow keyboard warrior, I see no reason to change it. Select Yes here.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

Last up, well, of course we want to enable rate-limiting, by enabling this, you ensure that only 3 login attempts every 30s can be made.

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

This finishes your initial setup for Google Authenticator PAM module. Now we need to configure PAM and SSH to actually use this technique. This is really awesome.

6 - Configure google-authenticator PAM module for the first time - blackMORE Ops

 

Note: Leave this terminal window open (DO NOT CLOSE). We need the codes for next steps.

Step 5: Configure SSH to use Google Authenticator PAM Module

Open your PAM configuration file /etc/pam.d/sshd

root@kali:~# vi /etc/pam.d/sshd

and add the following line:

auth       required     pam_google_authenticator.so

7 - Configure SSHD PAM to use Google Authenticator PAM Module - blackMORE Ops

Next up, open your SSH configuration file /etc/ssh/sshd_config

root@kali:~# vi /etc/ssh/sshd_config

and modify the line containing ChallengeResponseAuthentication no:

ChallengeResponseAuthentication no
(change it to)
ChallengeResponseAuthentication yes

8 - Configure sshd_config PAM to use Google Authenticator PAM Module - blackMORE Ops

To have these changes take effect, restart SSH server:

service ssh restart
(or)
service sshd restart
(or)
/etc/init.d/ssh restart
(or)
/etc/init.d/sshd restart

Why 4 commands? Depending on your Linux distribution, some refers SSH Daemon as SSHD, some as SSH, some got service module installed, some requires you to go into /etc/init.d folder and restart SSH service manually.

Step 6: Configure your SmartPhone for Google Authenticator App

Like I said before, Google Authenticator can be used in the following smartphones:

  1. Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
  2. iOS: https://itunes.apple.com/au/app/google-authenticator/id388497605?mt=8
  3. Blackberry: http://www.google.com/mobile/other

More detailed per device install instructions can be found on this page:
https://support.google.com/accounts/answer/1066447?hl=en

Assuming you managed to install the App properly, Launch your Google Authenticator app in your SmartPhone.

From Menu select Set up account

9 - Configure SMARTPhone to use Google Authenticator - blackMORE Ops

Step 6.1: Google Authenticator Setup Account

Remember the secret key you got when you initialized Google-Authenticator PAM module on your computer? I hope you still got that window open. Select Enter provided key.

10 - Select Enter provided key on SMARTPhone to use Google Authenticator - blackMORE Ops

Next window you give it a name (something you can remember or relates to your workstation .. i.e. Home Workstation or My SuperAwesome LinuxBox … I’m going to use blackMORE Ops as the name.

Type in your Secret Key on the next field and click on Add button.

11 - Manually enter name and secret key on SMARTPhone to use Google Authenticator - blackMORE Ops

Once it’s added it will generate a one time verification code (pin number) that will keep changing every 30 seconds.

Step 7: Login to your computer via SSH

Because I am doing all these in the same computer I will just login to localhost (IP: 127.0.0.1) If you got 2 or more machines or VirtualBox/VMWare machines then you can try to login from a different one. One thing to note, you MUST have SSH server running.

In case you don’t have SSH server running, just follow this guide to install openSSH server.

So we type in the following command: (this is where you need to find out your SSH server’s IP address, I’ve shown using localhost or 127.0.0.1 IP but this can be anything from an IP, FQDN or Domain name.)

root@kali:~# ssh 127.0.0.1

and immediately you see a prompt asking for Verification code. This is your Google Authenticator code that you get from your Google Authenticator Mobile App.

12 - Verification Key on SMARTPhone to use Google Authenticator - blackMORE Ops

Type in the numbers from your SmartPhones Google Authenticator App and then it will prompt your for your password. Type in your password to login now.

13 - Securely SSH and enter Google Authenticator Verification Key and password to login to SSH - blackMORE Ops

If you failed to type in the Verification code within 30 seconds, you have to try the next code shown on your SmartPhones Google Authenticator App. Awesome? Wouldn’t you agree?

Alternatives to Google Authenticator SmartPhone App:

In case you don’t own a SmartPhone or don’t want to use any, you can use the following add-on on your FireFox or IceWeasel browser:

FireFox/IceWeasel App: GAuth Authenticator https://marketplace.firefox.com/app/gauth-authenticator/

15 - Secure SSH with two factor authentication using Google Authenticator from FireFox- blackMORE Ops

Interesting Fact:

[Update]

Got a response from the dev behind the Google Authenticator add-on for Chrome, Gerard Braad, who explained that Google have taken it down but gave no explanation as to why even after being asked several times.

The Firefox version is still available though and work great. Hopefully he may look into the issue with the Chrome version and re-submit.

Here is the FF version for those wishing to use it:

https://marketplace.firefox.com/app/gauth-authenticator/

Richard

How about that?

[ Source: https://productforums.google.com/forum/#!topic/chrome/P9rTLaeyHjg ]

Conclusion

Securing SSH with two factor authentication using Google Authenticator is possibly the best security model you can out there for free. You can always restrict SSH by IP, change port, rate-limit and do all sorts of crazy stuffs. But those who wants to open SSH to the outside world and implement all these extra security models (i.e. Brute-force detection etc.) have to constantly worry about the fact that who is trying is and what you’ve missed while securing your system. Securing SSH with two factor authentication using Google Authenticator possibly relieves you from that worry and you stop getting emails in the middle of the night saying someone tried to login via SSH X amount of times.

Let me know you thoughts and if you’ve found this useful. Thanks for reading and being on my website. Please share. This would be best for System Administrators on any Linux systems.

 

Smart Cities Market Analysis 2013 - 2019

The global Smart Cities Market is expected to reach a value of USD 1,265.85 billion by 2019, growing at a CAGR of 14.0% from 2013 to 2019. Increase in migration from rural to urban areas is the major factor responsible for the growth of smart cities market, globally. North America was the largest contributor to the smart cities market and accounted for a share of 34.5% in 2012. This is mainly attributed to the increasing smart grid investments, upgradation in the water infrastructure and transportation sector. The manufacturers in this region are investing more in smart meters and smart grids to provide an excellent foundation for smart city programs.

Browse the full Smart Cities Market Report at http://www.transparencymarketresearch.com/smart-cities-market.html

Among the different application categories, smart transportation segment held the largest share of around 16% in 2012. This was due to the growing demand for advanced traffic management, building a superior environment and reducing the volume of delivery vehicles. At the same time, smart transportation links the modes of transport to improve the traffic flow in both urban and inter-urban networks. Smart transportation system helps in minimizing the economic burden of government by reducing traveling delays and fuel consumption rate. Smart security is the fastest growing segment and is expected to grow at a CAGR of 15.0% during the forecast period from 2013 to 2019. One of the reasons for the growing popularity of smart security is that it avoids third party misuse by imposing high security requirements onto the used technology.
In terms of geography, North America represents largest market for smart cities and is expected to reach a market size of USD 392.41 billion by 2019. The regional governments are taking steps towards reducing the carbon footprint by increasing the use of renewable energy resources. Governments in North America are currently working on an objective to accomplish the target of zero wastage of energy by the year 2020.

Get report sample PDF copy from here: http://www.transparencymarketresearch.com/sample/sample.php?flag=B&rep_id=357

Some of the major players in smart cities market include Siemens AG, ABB Ltd., IBM Corporation, Hitachi Ltd., Alcatel-Lucent S.A., Honeywell international Inc., Alstom S.A., General Electric Company, Telefonaktiebolaget L. M. Ericsson, Cisco Systems Inc., Oracle Corporation and others.

The global smart cities market is segmented as below:
Smart Cities Market, By Application
Smart homes
Smart buildings
Smart energy management
Smart industrial automation
Smart healthcare
Smart transportation
Smart security
Others (smart water management, smart education, so on)

Browse the full Smart Cities Market Report Press Release : http://www.transparencymarketresearch.com/pressrelease/smart-cities-market.htm
Smart Cities Market, By Geography

North America
Europe
Asia Pacific
Rest of the World (RoW)

Browse Technology and Media Market Research Reports @ http://www.transparencymarketresearch.com/technology-market-reports-8.html

 

Linux Kernel 3.16 Stable is Now Available! Install Linux Kernel 3.16 in Ubuntu/Linux Mint Systems

The Linux Kernel 3.16-Stable is now available for the users, announced Linus Torvalds. This Linux Kernel version comes with plenty of fixes and improvements. This article will guide you to install or upgrade to Linux Kernel 3.16 in your Ubuntu or Linux Mint system.

 

Read more on YourOwnLinux.

 

Excellent Free Distraction-Free Tools for Writers

Fans of the typewriter remain a vehement group. They view the typewriter as something really special, a tool which makes the connection between languages. One of the attractions of a typewriter is that it offers a distraction-free alternative of modern day methods for producing a document. They challenge the writer to concentrate on what really matters - the content. They force the writer to think.

In many countries, the typewriter has been largely consigned to history by the computer. Yet, the computer is jam-packed with distractions. The desktop with its cluttered interface, the chatter of social media, the almost limitless content of the internet, the chirping email notifications, the list of distractions is endless. When writing, concentration is vital. Fortunately, there are computer applications which are designed to offer a distraction-free environment, to ensure the writer has mental clarity, by not being distracted by the operating system and a cluttered interface.

Here is my take on the finest distraction-free applications to help you focus on writing without interruption. Each of the applications run in Linux, most are available as desktop applications.

<A HREF="http://www.linuxlinks.com/article/20140720045111813/DistractionFreeTools.html">Read on</A>

 

Test read/write speed of usb and ssd drives with dd command on Linux

Drive speed The speed of a drive is measured in terms of how much data it can read or write in unit time. The dd command is a simple command line tool that can be used to read and write arbitrary blocks of data to a drive and measure the speed at which the data transfer took place. In this post we shall use the dd command to test and read and write speed of...
Read more... Comment (1)
 

How to fix Virtualbox error “Kernel driver not installed (rc=-1908)” on Ubuntu

Virtualbox I recently installed the latest version of Virtualbox (4.3.12) by downloading the deb files from virtualbox.org on Ubuntu 14.04. The installation goes fine, but when trying to run Virtualbox, it reports the following error. Kernel driver not installed (rc=-1908) The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing '/etc/init.d/vboxdrv setup' as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles...
Read more... Comment (0)
 

CentOS 6.5 vs. CentOS 7.0 NAS Performance Comparison

After years of development, RedHat finally released the next major version of RedHat Enterprise Linux (RHEL) v7. RedHat Enterprise Linux is an enterprise-grade Linux distribution, which is frequently used in corporate data centers as an operating system for NAS storage devices. From the performance point of view, the new Linux kernel and the new default file system may have a significant impact on a NAS storage device and therefore it is very important to understand how the newly released RedHat Enterprise Linux version 7.0 compares to the last stable version 6.5.

 

http://www.flexense.com/centos6_vs_centos7_nas_performance.html

 

 

How To : Install NVIDIA 331.89 (Stable) Graphics Drivers in Ubuntu/Linux Mint Systems

The latest version of Nvidia Graphics driver for Linux which is Nvidia 331.89 has been released and is available for download. It comes with plenty of fixes and changes. This article will guide you to install Nvidia 331.89 in Ubuntu and Linux Mint systems.

Fixes

  • Added support for the following GPU:
      GeForce GT 730
  • Fixed a race condition in the NVIDIA kernel module that caused some GPUs to sporadically become unresponsive.
  • Updated the error reporting in the NVIDIA kernel module to include the GPU serial number, when available, in error messages written to the system log.
  • Fixed a bug that caused blank screens when transforming or rotating displays in an SLI Mosaic layout.
  • Fixed a bug that corrupted certain software rendering on 32-bit systems.

Read more on YourOwnLinux

 

CentOS 6.5 vs. CentOS 7.0 NAS Performance Comparison

After years of development, RedHat finally released the next major version of RedHat Enterprise Linux (RHEL) v7. RedHat Enterprise Linux is an enterprise-grade Linux distribution, which is frequently used in corporate data centers as an operating system for NAS storage devices. From the performance point of view, the new Linux kernel and the new default file system may have a significant impact on a NAS storage device and therefore it is very important to understand how the newly released RedHat Enterprise Linux version 7.0 compares to the last stable version 6.5.

 

http://www.flexense.com/centos6_vs_centos7_nas_performance.html

 

 

How To : Install NVIDIA 340.24 Graphics Drivers in Ubuntu/Linux Mint Systems

  The latest version of Nvidia Graphics driver for Linux which is Nvidia 340.24 has been released and is available for download. It comes with plenty of fixes and changes. This article will guide you to install Nvidia 340.24 in Ubuntu and Linux Mint systems.

Fixes

  • Fixed a bug that prevented 3D Vision stereo and ultra low motion blur modes from working on G-SYNC capable monitors in some cases.
  • Fixed a bug that caused the "Allow G-SYNC" checkbox to be displayed in nvidia-settings even if the GPUs in the system are not capable of G-SYNC.
  • Fixed a kernel crash when running some applications with IOMMU functionality enabled.
  • Fixed a floating point exception in the OpenGL driver when running "Risk of Rain" under Wine.
  • Made various improvements and corrections to the information reported to GL applications via the KHR_debug and ARB_debug_output extensions.
  • Fixed a bug that caused GLX applications which simultaneously create drawables on multiple X servers to crash when swapping buffers.
  • Updated nvidia-settings to report all valid names for each target when querying target types, e.g. `nvidia-settings -q gpus`.
  • Added support for controlling the availability of Fast Approximate Antialiasing (FXAA) on a per-application basis via the new __GL_ALLOW_FXAA_USAGE environment variable and the corresponding GLAllowFXAAUsage application profile key. See the README for details.
  • Fixed a bug where indirect rendering could become corrupted on system configurations that disallow writing to executable memory.
  • Updated the nvidia-settings Makefiles to allow nvidia-settings to be dynamically linked against the host system's libjansson. This option can be enabled by setting the NV_USE_BUNDLED_LIBJANSSON Makefile variable to 0.Please note that nvidia-settings requires libjansson version 2.2 or later.

Read more on YourOwnLinux

 

How To : Install/Upgrade to Linux Kernel 3.15.5 in Ubuntu/Linux Mint Systems

   "The Linux Kernel 3.15.5 is now available for the users and all the users of 3.15 kernel series must upgrade", announced Greg Kroah-Hartman.This Linux Kernel version comes with plenty of fixes and improvements. This article will guide you to install or upgrade to Linux Kernel 3.15.5 in your Ubuntu or Linux Mint system.

 

More details on YourOwnLinux

 
Page 10 of 140

Upcoming Linux Foundation Courses

  1. LFD320 Linux Kernel Internals and Debugging
    16 Mar » 20 Mar - Atlanta - GA
    Details
  2. LFS220 Linux System Administration
    16 Mar » 19 Mar - Chicago +VIRTUAL
    Details
  3. LFS426 Linux Performance Tuning
    16 Mar » 19 Mar - Virtual
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board