Google Authenticator for SSH

Hey Reader,

My name is Akshay, and I am working as Senior Developer at Luxoft India. In this article I will show you how you can secure your SSH login with Google Auth. Securing your SSH login with Google Authenticator creates an extra security layer for your server. This came as part of my project in Luxoft and was able to implement it successfully.

We all know that we log in (SSH) to our server in 2 ways. The first way is: password authentication (using your user password) and the second way is: passwordless authentication (using SSH keys, like public & private key combination.

SSH refers to the protocol by which network communications can take place safely and remotely via an unsecured network. SSH enables a variety of crucial functions: protected file transfers, automated processes, command execution, and remote access to private network systems, devices, and applications.

When it was first developed, SSH sought to address the security lapses of Telnet, a protocol that allows one computer to log into another on the same open network. In its original form, distinguished as SSH-1, secure shell protocol made great leaps in networking operation security but had a few notable design vulnerabilities. The detection of these vulnerabilities led to version SSH-2.

Today, most systems that utilize SSH support SSH-2. The updates of this version have strengthened the protocol and made it a reliable cryptographic method of remote networking. By authenticating and encrypting every session, SSH in networking protects data against overt forms of cyberattack perpetrated by system hijackers, as well as subtler forms of information theft like packet sniffing.

How does Google Authenticator work?

Authenticator works for any site or service that has enabled two-factor authentication. Like most web-based 2FA applications, the system combines knowledge and possession features. To access websites or web-based services, the user types in his normal username and password and then enters a one-time passcode (OTP) that was delivered to his device, triggered by the login. That combination verifies that the same person entering login data on the site is in possession of the device to which the Google Authenticator app was downloaded.

Passwords may be easy to crack or otherwise steal but because the vast majority of exploits are conducted via the Internet, it is unlikely that the hacker also has access to the user’s physical device.

The Authenticator app is based on the time-based one-time password (TOTP) system specified in the IETF’s RFC 6238 document. The TOTP algorithm generates a six-digit passcode that factors in the current time of day to ensure that each passcode is unique. Passcodes are changed every 30–60 seconds for further security.

In this post, I will discuss password authentication to the server along with authenticator (extra security layer).

How to achieve Google authentication in the server?

We will achieve this in the following steps:

• Download Google authenticator.
• Configure Google authenticator to work with SSH
• Modify SSH to work with the Google authenticator
• Configure SSH to require both the Google authenticator and key

Install and Initialize the Google Authenticator

We will install Google Authenticator in the server by following commands:

Google authenticator has been installed successfully. Now we will setup the Google authenticator in the server. Execute the below command and follow the instructions.

Now you can use the secret key (that you got from the above configuration) in your Google Authenticator to create a setup for auth. You can also scan the QR code by clicking on the Google URL that you got during setting up google-authenticator. Once it is set up the Google Auth, we will modify SSH configuration file.

Modify SSH configuration:

Now we will modify SSH configuration “/etc/ssh/sshd_config” to accept the Google Auth key and pub key when login to the server. Add the below lines in the SSH configuration file (Search for “PasswordAuthentication” and set it to “yes” and “PubkeyAuthentication” to “no“) and one extra line (AuthenticationMethods publickey,keyboard-interactive)

PubkeyAuthentication no

Further, we will go to “/etc/pam.d/sshd” and will add the below line. This is the most important steps in setting the Google Auth for SSH access.

Now, we will restart the SSH service to make the above changes.

Now try to login to the server, it will ask for “Verification code”.

If you do not want password authetication and want to enable password less authetication, you can go through the post: Establish a password-less SSH connection between servers

Try to set up this in your server and implement an extra security layer to your SSH. Feel free to comment in the below comment section, if you face any issue in setting this up. I also request you to share your valuable feedback regarding the post.