Two-factor authentication
You’re not paranoid – they really are out to get you. Increase your protection by using Google Authenticator with SSH.
Have you ever wondered how many times a day you type the word ‘ssh’. It’s undoubtably one of the most useful commands in a Linux admins toolbox with its built-in encryption (that I really take for granted these days) as well as the tricks it has up its sleeve around forwarding and tunnelling. In fact, the only things using ssh more than me on the systems I have out on the internet are the myriad intruders, automated bots and worms attempting to break into them on a regular basis.
There are some well known recommendations for securing SSH on Linux. Avoiding enabling root logins, using keys rather than passwords and (if possible) restricting access to the SSH port (22) via iptables or something similar to a defined set of source addresses. I personally don’t bother shifting the SSH port to something obscure as scanning tools make it trivial to find where it is again anyway, but know plenty of admins who do like to do this. I really like installing Denyhosts as a package to trivially ban multiple connection attempts anyway.
For those systems where access to them may be from locations on the move (I use my phone’s 4G connection constantly these days when out and about) defining source addresses for a firewall might be a little bit tricky, even with dynamic DNS options available. An easier solution to my mind is to enable two factor authentication, using the freely available Google Authenticator service and application. There are other providers for this type of thing – take a look around if trusting Google for yet another service makes you nervous – but from my experience Google offering is quite trivial to set up. The easiest option when using it is to install the Google Authenticator application on your smartphone of choice (it makes scanning the generated QR code very easy). It only takes a few commands and a bit of editing to set up. The example below follows what I do on my Ubuntu based systems; other distros shouldn’t be that different.
The first thing to do is install the relevant package itself (following the usual apt-get update ): $ sudo apt-get install libpam-google-authenticator
I then run the configuration tool from my own user account (I’d never SSH directly in as root in any case and the option is disabled): $ google-authenticator This kicks off a few questions, which I answer yes to in every case. These limit token reuse; make the tokens time based; rate limit login attempts; and adjust the time window tokens are good for to account for time-skew issues.
During this process a QR code will be displayed – simply taking a photo of this via the Google app will add it as a verification option and begin generating codes to be used during login. The installer will also display some details which need keeping somewhere secure – such as a secret key, verification code and some ‘emergency scratch codes’ to be used in, well, emergencies.
After the install has been completed there are just a couple of file edits to do to /etc/ssh/sshd_config and /etc/ pam.d/sshd. Ensure that sshd_config has its options set as follows: # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) Challenge Response Authentication yes UsePAM yes Authentication Methods public key, keyboard-interactive
# Change to no to disable tunnelled clear text passwords Password Authentication no
Then, edit the top of /etc/pam.d/sshd so that it looks like this: # PAM configuration for the Secure Shell service auth required pam_google_authenticator.so
# Standard Un*x authentication. #@include common-auth
Now restart the SSH daemon. Check that your Google Authenticator app is generating codes for your system (the code will be labelled with the user and host name the QR code was generated on). Logging in next time to the system will ask for this verification code before subsequently checking your public key authentication is correct. This gives you another layer of protection against intruders for just a couple of minutes work – well worth it.