Secure your server, website or facebook with 2 step verification

Secure your server, website or facebook with 2 step verification

Posted By: pmietlicki

Published to Work on Jun 23, 2017

See google support

How does it work ?

Really simple : every time you want to connect to your account, you'll still have to enter your password plus a new temporary code provided by an application you have to install on your phone or a sms automatically send to your phone. The goal is to enforce the security of your account and prevent unwanted access to it.

Advice : enable it on your google account and your facebook account

Facebook offers the same kind of feature. For google, it is over here : http://accounts.google.com/SmsAuthConfig. Under facebook, you will have to go under your account parameters -> account security -> Login approval.

Install google authenticator on debian

Download

Googe is publishing a debian pakage so you can have the same functionnality on your server. Go to https://github.com/google/google-authenticator/

Installation

apt-get install libqrencode3 libpam-google-authenticator

Configuration

Once installed, you'll have to configure the program for every user. In fact, the user account you'd like to use from the outside. Use this command :

google-authenticator
        

It will create a file .google_authenticator and a QR Code is going to appear in your terminal with other information that you'll have to save somewhere (the secret key, emergency codes if you don't have or have lost your phone, etc). You'll have to answer several questions, you should answer yes to :

Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

Then download the Google Authenticator application (AppStore or Android Market) then scan the QR code with your smartphone. Open the application then "Add an account" and "Scan the QR code".

Usage of googe authenticator PAM module with SSH

Open /etc/pam.d/sshd and add this line (before @include common-auth) :

auth required pam_google_authenticator.so
@include common-account
@include common-auth
@include common-session
session optional pam_mail.so standard noenv
session optional pam_motd.so
@include common-password

If you use univention, you'll have to modify this file : /etc/univention/templates/files/etc/pam.d/sshd

@%@UCRWARNING=# @%@
@!@
scope = "sshd"
accessfileDefault = "/etc/security/access-" + scope + ".conf"
accessfile = "auth/" + scope + "/accessfile"
if configRegistry.is_true("auth/" + scope + "/restrict", False):
 print 'account required pam_access.so accessfile=%s listsep=,' % configRegistry.get(accessfile, accessfileDefault)
print 'auth required pam_google_authenticator.so'
print '@include common-account'
print '@include common-auth'
print '@include common-session'
print 'session optional pam_mail.so standard noenv'
print 'session optional pam_motd.so'
print '@include common-password'
@!@

Under univention, don't forget to apply the settings with :

ucr commit /etc/pam.d/sshd

Check that openssh configuration ( /etc/ssh/sshd_config) contains :

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Well done ! Now when you connect to your server, you should see « Verification code » the one you'll have to retrieve from your phone :

root@ucsdc:/var/lib/owncloud/sandra/cache# ssh -l pascal vpn
Verification code:
Password:

You should know that your phone does not need to be on the Internet for the code to work.You just need to have the application and the time of both your server and phone to be well synchronised (thanks to the GSM network for your phone and to NTP for your server).

If you don't have a smartphone

You can use Google Authenticator on your computer.

Google authenticator for WordPress

A plugin exists under WordPress : http://wordpress.org/extend/plugins/google-authenticator/. For every user profile, you'll have to activate the 2 step verification and scan the QR Code like mentionned before.

Tags: Authentication, PAM

Archive