# 2faGoogleAuthenticator
2fa with Google Authenticator allowing SSHKeys
Overview
This will allow you to install Google authenticator add users that will use the authenticator
Those users can create ssh keys using authenticator that they can use without passwords or authenticator.
This solves for how do you give someone ssh access to a server without knowing thier private key and without leaving access open to passwords only.
The added step motivates them to use more secure access methods keypairs.
This writeup is on an Ubuntu 18.04 server. Milage may vary with other distros.
Commands are assumed as user is running as root. If you run into an issue, check that.
What to install
SSH if it isnt already on your system
Open SSL if it isnt on your system
Google Authenticator
To search your system for these files use:
# dpkg --get-selections | grep ssh
Replace the word after grep for what ever you are looking for.
Install what you are missing then continue.
If your feeling dangerous here is a line of code to grab all of them
# apt install -y openssh-server openssl libpam-google-authenticator
Then sitback and let that complete
Do you have a list of users you want to set this up for? are they new users?
My example is new users however you can modify the .profile file and user groups as needed.
For the future I will automate more of this.However for now you can see how the sausage is made.
Lets add the group that the new users will be a part of:
# groupadd google-auth
If you have current users, after you create the group use gpasswd to add them
# gpasswd google-auth -M bob,joe,smith
Lets create the encrypted password for the user
# openssl passwd -crypt
This will prompt you for the password and again to confirm. (Punish1234)
Copy the text it gives you for use later
S3Cr#tp@ss
Now lets edit the default .profile file so we dont have to do it for each individual user
# nano /etc/skel/.profile
Look, dont give me crap about nano. It works. Ill learn vi and vim later.
At the end of the .profile file add:
sh /usr/local/bin/google-auth-check.sh
Save your file and on to the next step
Create the .sh file /usr/local/bin/google-auth-check.sh
# nano /usr/local/bin/google-auth-check.sh
copy the contents below into that file
#!/bin/bash
if [ ! -f ~/.google_authenticator ]; then
echo ""
echo ""
google-authenticator -t -D -w 17 -S 30 -f -Q utf8 -u -e 10
echo ""
echo "You were given a temporary password for this account."
echo "Set up google authenticator and sshkey access"
echo "Password-only logins are disabled when you logout of this session"
echo "\e[1;31mDo not close this window unless you have completed these tasks!\e[0m"
echo "-admin"
echo""
if [ -f ~/.google_authenticator ]; then
sed -i "/^${USER}$/d" /google-auth/authusers
fi
fi
Save your file
Give the file execute permissions
#chmod +x /usr/local/bin/google-auth-check.s
On to the next step
Create the directory where your auth users file will reside and the file with the following command
# mkdir /google-auth/
# chmod 777 /google-auth/
# touch /google-auth/authusers
# chgrp google-auth /google-auth/authusers
# chmod ug=rwx,o= /google-auth/authusers
Now to add your users to this file
# nano /google-auth/authusers
Add your user test-admin for instance
Save your file
Note: each user should be on a new line. Use cat to check
# cat /usr/local/bin/google-auth-check.sh
test-admin
zod
frank-castle
ricky-bobby
#
On to the next step
Actually create the user! (if you dont want the user to have sudo dont add it here)
# useradd -m -p S3Cr#tp@ss -G sudo, google-auth -s /bin/bash test-admin
Please make sure you have local console access incase you lock yourself out with the next steps with PAM and SSH Config
From what I can tell much of PAM and ssh config work by line. So it matters where commands are.
First is PAM
# nano /etc/pam.d/sshd
under "@include common-auth" put the next line:
auth sufficient pam_listfile.so item=user sense=allow file=/google-auth/authusers
at the end of the pile put the next line:
auth required pam_google_authenticator.so
Save your file
Next is sshd_config
# nano /etc/ssh/sshd_config
look for PasswordAuthentication yes
Make sure it says yes. If there is a # and the begining remove it.
Next is ChallengeResponseAuthentication yes
Make sure it says yes. If there is a # and the begining remove it.
Last is UsePAM yes
Make sure it says yes. If there is a # and the begining remove it.
Save your file
Cross your fingers
restart your SSH Service
# service sshd restart
You're almost finished!!
Have your users download the google authenticator app from their market (Android, iOS)
Let the user login to the server with their username and password!
They will have to set up the auth on their device, they wont be able to log back in without it.
The authenticator app is easy to use and you will just scan the QR code on the screen (magic).
They wont be able to log back in without it
They wont be able to log back in with... out... it.
This also means they wont be able to add their ssh keys to the server without it (thats kinda a login).
They can now add their keys and not use username or 2FA
From their system for the server
# ssh-keygen -t rsa -b 4096 -C "test-admin@Punisher.net"
Enter through all the steps
Then push the key to the server!
# ssh-copy-id test-admin@104.115.107.237
Will be asked for password and authenticator code
I hope this helps!!
References:
https://dopensource.com/2016/12/30/scripting-one-time-ssh-access-to-allow-for-google-authenticator-setup/
https://linuxize.com/post/how-to-set-up-ssh-keys-on-ubuntu-1804/
https://www.mankier.com/1/google-authenticator
I'm not a coder
I didnt spell check anything