Product SiteDocumentation Site

4.3. Practice

  1. First login to remote system, use ssh Client. Login as bviXY and password is bezpecnost

    Note

    See Client Setup Chapter 2, Cvičenie 1/Practice 1 - Connection Setup
    Login bviXY is given by the lector

4.3.1. Secure SSH with Google Authenticator’s Two-Factor Authentication

Two-Factor authentication adds an extra layer of security to the authentication process to prevent unauthorized users to access your services or data. Normally you only type username and password (something you know) but with Two-Factor authentications, additionally you need to provide something you have (mobile phone running Android, iOS or Blackberry with one time codes when using Google Authenticator).
To implement multifactor authentication with Google Authenticator, we’ll need the open-source Google Authenticator PAM module. PAM stands for “pluggable authentication module” – it’s a way to easily plug different forms of authentication into a Linux system.
  1. Start VirtualBox and run CentOS Virtual Machine
  2. Login to virtual as root/password
  3. Download and install the Google Authenticator app for you phone. Here you can find instructions(Android): 
    http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447
  4. Download and install the Authenticator app for you phone. (MS Windows Phone): 
    https://www.microsoft.com/sk-sk/store/apps/authenticator/9wzdncrfj3rj
  5. Install required package: 
    $ setenforce 0

$ rm -f /etc/localtime

$ ln -s /usr/share/zoneinfo/Europe/Bratislava /etc/localtime

$ tzselect
(Europe)
(Slovakia)
(Yes)

$ ntpdate pool.ntp.org

$ rpm -Uvh http://zeus.fei.tuke.sk/bps3r/epel6.rpm

$ yum -y install google-authenticator mc
  6. Configure pam to use the google authenticator lib. 
    $ cp /etc/pam.d/sshd /etc/pam.d/sshd.old
    $ mcedit /etc/pam.d/sshd

    auth required pam_google_authenticator.so 
auth include password-auth
  7. Locate a line in the file starting with ChallengeResponseAuthentication and change the value to yes 
    $ mcedit /etc/ssh/sshd_config 
    ChallengeResponseAuthentication yes
  8. Restart SSH 
    $ /etc/init.d/sshd restart
  9. Add new user 
    $ useradd -m google 
$ passwd google

    Warning

    Remember entered password.
  10. Switch to new user 
    $ su - google
  11. Configure Google Authenticator. This has to be done for each account that should be able to login with Two-Factor Authentication. 
    $ google-authenticator

    Note

    Following questions enter Y 
    Your new secret key is: ABCD12E3FGHIJKLMN
Your verification code is 98765432
Your emergency scratch codes are:
  01234567
  89012345
  67890123
  45678901
  23456789
  12. Setup your mobile phone Google Authentication according to the secret key, previous step. Choose time-based tokens.
  13. Try to login as google user with SSH protocol and use your smartphone. 
    $ ssh google@localhost