maemo.org - Talk - [HOW TO] SSH two-factor authentication

I added two-factor authentication on my Jolla, to require username/token/password for connecting thru SSH to the device.

Since I was asked how I did this, I post this instruction page :)

Firstly, I compiled the 'pam-google-authenticator' code from github to be able to use the pam_google_authenticator.so library to accomplish this. The resulting library, and google-athenticator binary (to generate the secret key on device). It is published on my merproject page, so you will need to add this repository.

As you can guess from above, PAM is used for authenticating this way, so a few changes to sshd_config and pam files are needed (described below).

Now, the instructions, they are quite straight-forward, so I dont think they will cause much confusion ;)

First, on device:

become root:

Code:

[nemo@Jolla ~]$ devel-su

Add my repository:

Code:

[nemo@Jolla ~]# ssu ar nieldk http://repo.merproject.org/obs/home:/nielnielsen/sailfish_latest_armv7hl/

[nemo@Jolla ~]# pkcon refresh

Install google-authenticator and PAM libs

Code:

[nemo@Jolla ~]# pkcon install pam-google-authenticator

Create Google Authenticator, secret keys for user nemo

Code:

[nemo@Jolla ~]# exit

[nemo@Jolla ~]$ google-authenticator

Follow on-screen-instructions:

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200...%26issuer%3Dxx
Your new secret key is: 2C3IHASRPY3PHHGAAF5
Your verification code is 312471
Your emergency scratch codes are:
12345670
12345671
12345672
12345673
12345674

Do you want me to update your "/home/nemo/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Take a note of the secret key 2C3IHASRPY3PHHGAAF5
This is what you need to enter in the Google Authenticator application of your choise

Now, change the configuration files for sshd
become root:

Code:

[nemo@Jolla ~]$ devel-su

[nemo@Jolla ~]# nano /etc/ssh/sshd_config

add (or change) lines:
ChallengeResponseAuthentication yes
UsePAM yes

Code:

[nemo@Jolla ~]# nano /etc/pam.d/sshd

add (or change) lines:
auth required /usr/lib/security/pam_google_authenticator.so

To test connection with two-factor authentication, restart sshd and terminate connection:

Code:

[nemo@Jolla ~]# pkill sshd

(will exit you current SSH connection)

Now, on laptop:

Code:

nieldk@nn:~$ ssh nemo@your.phone.ip.adress

Anser login questions ;)

Verification code: <Google Authenticator code>
Password: <password>

Last login: Sun Apr 26 14:01:11 2015 from x.x.x.x
,---
| SailfishOS 1.1.4.28 (Äijänpäivänjärvi) (armv7hl)
'---
[nemo@Jolla ~]$

Done!