Rich Freeman on 28 Oct 2014 12:06:40 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Google Authenticator / SSH

I was chatting on IRC and mentioned that I use Google Authenticator
for ssh connections (anytime I use a password - I bypass it for RSA).

This is incredibly easy to set up - I'd strongly recommend it for
anybody.  This is a decent guide:

You could even use it for console logins if you are really paranoid,
but if you do that you might want to make sure you have a way around
it if you lose your phone.

I set this up, and then I stopped worrying about fail2ban for ssh.

The other thing I usually do with PAM is add a line like this to
various services:
auth                required onerr=fail
item=user sense=allow file=/etc/ssh/ssh_allow.pamlist

I have this set up for services like smtp, pop3, imap, and ssh.

The file it references is just a text file with a list of users.
Anybody not on the list can't login via the specified service.  This
just greatly limits the attack surface in general.

Between the two I'm really not concerned with ssh brute force attacks.
They need to get past PAM throttling, the account password, google
authenticator attempt throttling, and the time-based OTP token (a
six-digit number valid for 30 seconds).  Either that or they need an
RSA key, which obviously isn't going to get brute forced.  A failed
attempt gives no information as to what component of the
authentication failed.

The only downside is that when I'm doing clonezilla backups at home I
have to carry my smartphone around from PC to PC just to log in.  :)
I'm sure there is some clever way with PAM to exempt local connections
to a specific account.

The next step is to get all of that working with a U2F token if they
ever extend the protocol to something other than javascript and a USB

If we ever do 15 minute talks I'd be happy to toss together a few
slides and do a demo.  This one might even fit into a lightning talk.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --