1
|
1
|
new file mode 100644
|
...
|
...
|
@@ -0,0 +1,49 @@
|
|
0
|
+---
|
|
1
|
+layout: post
|
|
2
|
+title: "`$ su -' with Two-Step Authentication"
|
|
3
|
+date: 2014-05-29 11:06
|
|
4
|
+comments: true
|
|
5
|
+categories: [server, shell, paranoid, linux]
|
|
6
|
+cover: /images/cover/avatar.png
|
|
7
|
+keywords: Google Authenticator, two factor, two step, ssh, security
|
|
8
|
+description: More secure login via two-step authentication
|
|
9
|
+---
|
|
10
|
+
|
|
11
|
+##### TL;DR
|
|
12
|
+Log in with user's password and verification code obtained from
|
|
13
|
+[Google Authenticator](https://code.google.com/p/google-authenticator/) mobile app.
|
|
14
|
+
|
|
15
|
+# Intro
|
|
16
|
+I really like a [two-step authentication](http://en.wikipedia.org/wiki/Multi-factor_authentication)
|
|
17
|
+(or two-factor) idea. I use everywhere I can (Google accounts,
|
|
18
|
+Bitstamp, Facebook...); so I get this idea: logging in as root would require correct
|
|
19
|
+user's password and some verification code obtained from my phone. I found very
|
|
20
|
+easy-to-use solution: Google Authenticator.<br>
|
|
21
|
+It's an open-source project (Apache License 2.0) so if you're paranoid go and
|
|
22
|
+check if it doesn't contain some backdoor ;) The Authenticator app provides a random
|
|
23
|
+[one-time password](http://en.wikipedia.org/wiki/One-time_password)(verification code)
|
|
24
|
+users must provide in addition to their password.
|
|
25
|
+
|
|
26
|
+I access my server via password-less ssh login (```ssh alterego@my.server```) and then
|
|
27
|
+I log in as root (```su -```). I set up Google Authenticator to ask for
|
|
28
|
+verification code after inserting correct root's password. Let's do that right now.
|
|
29
|
+
|
|
30
|
+# Installation and usage
|
|
31
|
+
|
|
32
|
+Install PAM library and tools: ```libpam-google-authenticator```.
|
|
33
|
+Log in as root and run ```google-authenticator```. It generates a key and emergency
|
|
34
|
+codes (useful if you lost your phone). In your phone enter generated secret key
|
|
35
|
+(type of the key is 'time based').
|
|
36
|
+
|
|
37
|
+Then paste to the last line in ```/etc/pam.d/su```:
|
|
38
|
+
|
|
39
|
+ auth required pam_google_authenticator.so
|
|
40
|
+
|
|
41
|
+Now everything's should be set up.
|
|
42
|
+
|
|
43
|
+0. You're logged in as a regular user
|
|
44
|
+1. Fire ```su -```
|
|
45
|
+2. Enter your password
|
|
46
|
+3. Enter verification code from your phone
|
|
47
|
+4. ???
|
|
48
|
+5. Profit.
|
0
|
49
|
\ No newline at end of file
|