Published to Work on Jul 22, 2017
See google support
Really simple : every time you want to connect to your account, you'll still have to enter your password
plus a new temporary code provided by an application you have to install on your phone or a sms automatically send to your phone. The goal is to enforce the security of your account and prevent unwanted access to it.
Advice : enable it on your google account and your facebook account
Facebook offers the same kind of feature. For google, it is over here : http://accounts.google.com/SmsAuthConfig. Under facebook, you will have to go under your account parameters -> account security -> Login approval.
Googe is publishing a debian pakage so you can have the same functionnality on your server. Go to https://github.com/google/google-authenticator/
apt-get install libqrencode3 libpam-google-authenticator
Once installed, you'll have to configure the program for every user. In fact, the user account you'd like to use from the outside. Use this command :
It will create a file .google_authenticator and a QR Code is going to appear in your terminal with other information that you'll have to save somewhere (the secret key, emergency codes if you don't have or have lost your phone, etc). You'll have to answer several questions, you should answer yes to :
Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Then download the Google Authenticator application (AppStore or Android Market) then scan the QR code with your smartphone. Open the application then "Add an account" and "Scan the QR code".
Open /etc/pam.d/sshd and add this line (before @include common-auth) :
auth required pam_google_authenticator.so @include common-account @include common-auth @include common-session session optional pam_mail.so standard noenv session optional pam_motd.so @include common-password
If you use univention, you'll have to modify this file : /etc/univention/templates/files/etc/pam.d/sshd
@%@UCRWARNING=# @%@ @!@ scope = "sshd" accessfileDefault = "/etc/security/access-" + scope + ".conf" accessfile = "auth/" + scope + "/accessfile" if configRegistry.is_true("auth/" + scope + "/restrict", False): print 'account required pam_access.so accessfile=%s listsep=,' % configRegistry.get(accessfile, accessfileDefault) print 'auth required pam_google_authenticator.so' print '@include common-account' print '@include common-auth' print '@include common-session' print 'session optional pam_mail.so standard noenv' print 'session optional pam_motd.so' print '@include common-password' @!@
Under univention, don't forget to apply the settings with :
ucr commit /etc/pam.d/sshd
Check that openssh configuration ( /etc/ssh/sshd_config) contains :
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Well done ! Now when you connect to your server, you should see « Verification code » the one you'll have to retrieve from your phone :
root@ucsdc:/var/lib/owncloud/sandra/cache# ssh -l pascal vpn
You should know that your phone does not need to be on the Internet for the code to work.You just need to have the application and the time of both your server and phone to be well synchronised (thanks to the GSM network for your phone and to NTP for your server).
You can use Google Authenticator on your computer.
A plugin exists under WordPress : http://wordpress.org/extend/plugins/google-authenticator/. For every user profile, you'll have to activate the 2 step verification and scan the QR Code like mentionned before.