Browse code
New article: 2-factor auth
Cinan Rakosnik authored on 29/05/2014 at 09:52:32Showing 1 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,49 @@ |
| 0 |
+--- |
|
| 1 |
+layout: post |
|
| 2 |
+title: "`$ su -' with Two-Step Authentication" |
|
| 3 |
+date: 2014-05-29 11:06 |
|
| 4 |
+comments: true |
|
| 5 |
+categories: [server, shell, paranoid, linux] |
|
| 6 |
+cover: /images/cover/avatar.png |
|
| 7 |
+keywords: Google Authenticator, two factor, two step, ssh, security |
|
| 8 |
+description: More secure login via two-step authentication |
|
| 9 |
+--- |
|
| 10 |
+ |
|
| 11 |
+##### TL;DR |
|
| 12 |
+Log in with user's password and verification code obtained from |
|
| 13 |
+[Google Authenticator](https://code.google.com/p/google-authenticator/) mobile app. |
|
| 14 |
+ |
|
| 15 |
+# Intro |
|
| 16 |
+I really like a [two-step authentication](http://en.wikipedia.org/wiki/Multi-factor_authentication) |
|
| 17 |
+(or two-factor) idea. I use everywhere I can (Google accounts, |
|
| 18 |
+Bitstamp, Facebook...); so I get this idea: logging in as root would require correct |
|
| 19 |
+user's password and some verification code obtained from my phone. I found very |
|
| 20 |
+easy-to-use solution: Google Authenticator.<br> |
|
| 21 |
+It's an open-source project (Apache License 2.0) so if you're paranoid go and |
|
| 22 |
+check if it doesn't contain some backdoor ;) The Authenticator app provides a random |
|
| 23 |
+[one-time password](http://en.wikipedia.org/wiki/One-time_password)(verification code) |
|
| 24 |
+users must provide in addition to their password. |
|
| 25 |
+ |
|
| 26 |
+I access my server via password-less ssh login (```ssh alterego@my.server```) and then |
|
| 27 |
+I log in as root (```su -```). I set up Google Authenticator to ask for |
|
| 28 |
+verification code after inserting correct root's password. Let's do that right now. |
|
| 29 |
+ |
|
| 30 |
+# Installation and usage |
|
| 31 |
+ |
|
| 32 |
+Install PAM library and tools: ```libpam-google-authenticator```. |
|
| 33 |
+Log in as root and run ```google-authenticator```. It generates a key and emergency |
|
| 34 |
+codes (useful if you lost your phone). In your phone enter generated secret key |
|
| 35 |
+(type of the key is 'time based'). |
|
| 36 |
+ |
|
| 37 |
+Then paste to the last line in ```/etc/pam.d/su```: |
|
| 38 |
+ |
|
| 39 |
+ auth required pam_google_authenticator.so |
|
| 40 |
+ |
|
| 41 |
+Now everything's should be set up. |
|
| 42 |
+ |
|
| 43 |
+0. You're logged in as a regular user |
|
| 44 |
+1. Fire ```su -``` |
|
| 45 |
+2. Enter your password |
|
| 46 |
+3. Enter verification code from your phone |
|
| 47 |
+4. ??? |
|
| 48 |
+5. Profit. |
|
| 0 | 49 |
\ No newline at end of file |