Three-factor authentication with OpenSSH, Google Authenticator and Password

Check that you have OpenSSH 6.2 or newer. In my case, I was running Debian Wheezy (stable) and therefore had to upgrade the openssh-server package to testing. That was done through AptPreferences

I created this file: /etc/apt/apt.conf and added this line
APT::Default-Release "stable";
Then editted /etc/apt/sources.list and added
deb testing main
for apt-get to be able to fetch testing packages.

Now I could

$ sudo apt-get update
$ apt-get -t testing install openssh-server
$ ssh -V
OpenSSH_6.2p2 Debian-6, OpenSSL 1.0.1e 11 Feb 2013

Then I set up two-factor authentication with password and Google Authenticator in PAM. Follow this guide. Make sure it’s working before moving on.

The next thing is to genereate a key on your client ssh-keygen and use ssh-copy-id to push the public key fingerprint to the server.

Last step is to edit /etc/ssh/sshd_config, set the following lines are as these, and add any missing ones:

PubkeyAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

Now restart sshd with /etc/init.d/ssh restart and test from client:

$ ssh user@server
Authenticated with partial success. <- public key
Verification code: <- google-authenticator
Password: <- password

That’s it.

I am thinking about removing the password authentication all together to reduce any cognitive load of memorising passwords.

If you found this useful, please upvote my answer on Superuser (Stack Overflow).

2 thoughts on “Three-factor authentication with OpenSSH, Google Authenticator and Password

  1. Shouldn’t “PasswordAuthentication no” already remove the password authentication? How would you make it do just publickey+Verification?

    • I see what you mean, but the answer is no.
      The reason is that the SSH only does the publickey file check and then passes control over to the PAM system (keyboard-interactive), which then does the password check and Google Authenticator check. SSH is as such ‘blind’ to what happens within the PAM system.

      Therefore, if you want to disable the password check, this would need to be done within the PAM configuration file for SSH access: /etc/pam.d/sshd.

      Not quite sure, what is needed, but some modification of the line:

      auth include password-auth

      seems likely.

      Good luck šŸ™‚

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s