Browse code

New article: 2-factor auth

Cinan Rakosnik authored on 29/05/2014 at 09:52:32
Showing 1 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,49 @@
0
+---
1
+layout: post
2
+title: "`$ su -' with Two-Step Authentication"
3
+date: 2014-05-29 11:06
4
+comments: true
5
+categories: [server, shell, paranoid, linux]
6
+cover: /images/cover/avatar.png
7
+keywords: Google Authenticator, two factor, two step, ssh, security
8
+description: More secure login via two-step authentication
9
+---
10
+
11
+##### TL;DR
12
+Log in with user's password and verification code obtained from 
13
+[Google Authenticator](https://code.google.com/p/google-authenticator/) mobile app.
14
+
15
+# Intro 
16
+I really like a [two-step authentication](http://en.wikipedia.org/wiki/Multi-factor_authentication)
17
+(or two-factor) idea. I use everywhere I can (Google accounts, 
18
+Bitstamp, Facebook...); so I get this idea: logging in as root would require correct
19
+user's password and some verification code obtained from my phone. I found very 
20
+easy-to-use solution: Google Authenticator.<br>
21
+It's an open-source project (Apache License 2.0) so if you're paranoid go and 
22
+check if it doesn't contain some backdoor ;) The Authenticator app provides a random 
23
+[one-time password](http://en.wikipedia.org/wiki/One-time_password)(verification code)
24
+users must provide in addition to their password.
25
+
26
+I access my server via password-less ssh login (```ssh alterego@my.server```) and then
27
+I log in as root (```su -```). I set up Google Authenticator to ask for 
28
+verification code after inserting correct root's password. Let's do that right now.
29
+
30
+# Installation and usage
31
+
32
+Install PAM library and tools: ```libpam-google-authenticator```.
33
+Log in as root and run ```google-authenticator```. It generates a key and emergency
34
+codes (useful if you lost your phone). In your phone enter generated secret key 
35
+(type of the key is 'time based').
36
+
37
+Then paste to the last line in ```/etc/pam.d/su```:
38
+
39
+    auth required pam_google_authenticator.so
40
+
41
+Now everything's should be set up. 
42
+
43
+0. You're logged in as a regular user
44
+1. Fire ```su -```
45
+2. Enter your password
46
+3. Enter verification code from your phone
47
+4. ???
48
+5. Profit.
0 49
\ No newline at end of file