
Add two-factor authentication to your ssh in 30 seconds - danielpal
http://blog.authy.com/add-two-factor-authentication-to-your-ssh-in-30-seconds/
======
cs702
Using a third-party service like authy.com has its advantages, but if you
prefer, you can get two-factor authentication in the latest Ubuntu without
involving a third party by installing _libpam-google-authenticator_ from
Ubuntu's "universe" repository.

Here's how you do it: first, _sudo apt-get install libpam-google-
authenticator_ ; second, run _google-authenticator_ as the user you will
access remotely and follow the instructions; then, edit _/etc/pam.d/sshd,_ and
add "auth required pam_google_authenticator.so" in a new line; edit
_/etc/ssh/sshd_config_ and add (or change) the ChallengeResponseAuthentication
line so it reads "ChallengeResponseAuthentication yes"; and finally, _sudo
service ssh restart_ to restart the ssh server.

More info is available from the packager of libpam-google-authenticator[1],
and from the Google Authenticator PAM module's README.[2]

\--

[1] [http://blog.theroux.ca/security/ubuntu-2-step-
authentication...](http://blog.theroux.ca/security/ubuntu-2-step-
authentication-with-google-authenticator/)

[2] [http://code.google.com/p/google-
authenticator/source/browse/...](http://code.google.com/p/google-
authenticator/source/browse/libpam/README)

\--

Edits: Corrected typos; added more context.

~~~
danielpal
The biggest problems is you can't use ssh_keys with this setup. Its too
restrictive, and certificates are a must for ssh.

Also what happens if you loose your cellphone? We thought about this and for
us the possibility of loosing access to the server fully was too much.

~~~
keidian
You could probably do a hack to let the user login with ssh key and then
immediately force the second factor auth to be run, booting the user out if
they didn't pass it. Not the best way, but one option.

I also believe I once ran across a patch someone had done to the login code to
allow both to be required, I can't find the link right off though as I'm at
work currently. If I find it, I'll add it here

~~~
j_s
A ForceCommand example (for Yubikey) is documented here:
[http://www.tuxz.net/blog/archives/2010/03/17/how_to_quickly_...](http://www.tuxz.net/blog/archives/2010/03/17/how_to_quickly_setup_two-
factor_ssh_authentication/)

------
pejoculant
Pretty cool. Google authenticator is another alternative that be used via a
pam module, with the additional benefit that it doesn't need to connect to
something else for verification.

<https://code.google.com/p/google-authenticator/>

~~~
dcu
the problem is that google authenticator stores the seed in the phone(and the
server) so if you lose it basically you lose the server too, right?

~~~
0x0
If you mean lose access to the server, then the google-authenticator sets you
up with a few emergency one-time codes you could write down on a note and keep
safe, in case your phone is lost.

~~~
jordibunster
I don't think google-authenticator does that, I think Gmail does that.

~~~
0x0
There's a bunch of references to scratch codes in the pam google-authenticator
module, but I haven't actually tried to run the code.

[http://code.google.com/p/google-
authenticator/source/browse/...](http://code.google.com/p/google-
authenticator/source/browse/libpam/google-authenticator.c#621)

------
subway
You should really package this up, and provide a signed repo instead of
relying on the busted SSL infrastructure and GitHub to provide security to
your users.

While this one isn't quite as offensive as some, all these curl/sudo/bash
combos really make me sad, particularly when used to "increase" security.

~~~
danielpal
You are right. Best for your infrastructure is to fork it and modify it. We
for example have a different version we use for chef and that already include
everyone's keys.

------
peterwwillis
SMS is not secure. It can be faked. It goes through multiple networks. It's
not encrypted. And if you use a GSM phone, this could be owned two years ago
at DEF CON: <http://www.pcmag.com/article2/0,2817,2367247,00.asp> Not to
mention the provider-specific attacks, cloning, etc.

If you start pushing insecure technologies like this, people will just get
really comfortable with them and eventually get taken advantage of.

~~~
danielweber
Don't let the perfect be the enemy of the good.

~~~
peterwwillis
Can I quote you on that when the first "flaw in SMS used to circumvent two
factor authentication" article comes out?

A secured data connection is much better than SMS and easy to implement. But
this is still a 'something you send' factor, which can be intercepted. A
physical token or 'something you have' is more secure, and can also be easily
implemented with a YubiKey, a paypal/ebay authentication card, etc.

If you think your data is so valuable someone might install a keylogger to get
it, you might as well secure it as well as you reasonably can.

~~~
danielweber
In order for a flaw in SMS to break someone in, the attacker would need to
break both SMS and the traditional authentication channel.

Yes, SMS can be broken. I'm sure Google Authenticator is vulnerable to certain
attacks, too. Using them is better than throwing your hands up in the air and
saying "it's not perfect, we'd better not implement it because then people
will act as if they have perfect security!" Because people are already acting
like they have perfect security.

~~~
peterwwillis
You know this is the same reason people keep using telnet to manage their
routers. "To attack the protocol would be like totally hard, and upgrading the
routers to use ssh would be a pain in the ass. Telnet isn't perfect but it's
better than nothing!"

Yeah, SMS isn't perfect, and yeah, it's better than nothing. But you know what
else is better than nothing? Properly implemented TLS from an app or website
on the phone. Of course that has holes too, but it's encrypted and (hopefully)
authenticated unlike SMS. And it's available in every phone that can do SMS
(unless you don't pay for data).

You can do whatever you want. But if you give people a crappy option and a
good option, and the crappy option is slightly easier, they'll use the crappy
option. But if they want the extra security they'll use the extra click it
takes to make the good option work. Most people will just reason that nobody
will ever use a keylogger on them and keep using keys with passwords.

------
cmsj
In the video I see a private key coming from a Dropbox folder :(

Missing. The. Point.

~~~
jimktrains2
I didn't watch the video, but if the key is encrypted (password protected)
like it should be, what's the problem?

~~~
a_bonobo
In the comments the author states that his private key is inside a TrueCrypt-
folder, and that folder is on Dropbox.

I know that's reasonably secure but it _feels_ terrible.

------
mbq
One more option is Barada PAM module+Android app.
<http://barada.sourceforge.net/> It is basically a HOTP implementation, where
the token is protected by PIN (with PIN being a missing part of the shared
secret stored on the token) and the original password is reserved only to be
used on trusted machines (or) in case of losing token.

------
a3_nm
Does this mean that you ping them whenever you ssh? Does this mean that if
their service is down you won't be able to ssh anymore?

~~~
piotrSikora
From [https://github.com/authy/authy-ssh/blob/master/authy-
ssh#L11...](https://github.com/authy/authy-ssh/blob/master/authy-ssh#L112):

    
    
        Default action when api.authy.com cannot be contacted:
        
          1. Disable two factor authentication until api.authy.com is back
          2. Don't allow logins until api.authy.com is back

~~~
ikonst
What?! This is an online method? Why don't people just use Google
Authenticator? It's totally offline, on both ends.

------
dsl
If you are looking for a clean reliable two-factor auth system, I highly
recommend Duo: <http://www.duosecurity.com/>

I've been using them across a half dozen personal machines for quite a while
now, looking to roll it out at work as well.

~~~
davidblondeau
Right, Duo is great. Love the fact you can install it over the whole
enterprise including applications, blogs (Wordpress), vpns, and ssh.

------
stcredzero
Has anyone added this to other than a server? Seems like this could be added
to a notebook or desktop running OS X. (And for that, I would actually prefer
Google Authenticator.)

Also, it occurs to me: With TFA, it finally makes sense to periodically change
passwords.

------
aclimatt
Seriously? Another (virtual) token-based 2FA solution? What is your
competitive advantage against Duo, Authentify, Entrust, and the thousand other
SMS or virtual token 2FA solutions out there?

~~~
danielpal
We make it really easy for anyone to use 2FA. The reason 2FA is not popular is
not because there aren't enough solutions out there, it's because all of them
are basically really hard to use. Specially those that claim to be easy, they
are the opposite.

~~~
aclimatt
A valid goal, but I think you're misunderstanding your market: in your words,
people don't use 2FA because it's hard to use -- not hard to implement.
Organizations who have IT teams are fully capable of implementing reasonable
APIs like what Duo or Google offers. But you'll realize that enterprises don't
even care about the architecture, because they'll be paying you to implement
it anyway.

No, the reason nobody (in and only in the US) uses 2FA (because nearly every
other country in the world uses it widely) is because it's a pain to use for
the end user. No enterprise is going to invest their time and energy into a
solution unless they're either required to by regulations or is truly better,
easier, more secure, or whatever than competing solutions to make it a
compelling sale.

If this were a hobby project then I'd be cheering you on -- why not make a
token 2FA with a slightly better API? But as a YC-funded company whose likely
avenue of success will be through the enterprise market, you NEED to develop a
product that is better, faster, easier, more secure, etc than your (rather
formidable) competition.

Trust me, I'm familiar with this market ;).

------
tylermenezes
Been using this for around a month and it's great. Highly recommended.

------
gizzlon
Hm, can somebody explain what threat two-factor ssh-login is a response to?

If somebody went through the trouble of owning your machine, can't they bypass
the two-factor as well? Yes, it requires a more "live" and target attack, but
one would think ssh attacks like these are pretty targeted in the first place.
Or? What am I missing?

~~~
darklajid
Maybe I'm missing some assumptions of yours, but for me the reason to do that
is to .. protect the ssh login.

Who talks about a machine that is owned? This is about an additional
requirement to log on to a service, be it ssh or email. Whether you're reusing
your password, sharing it or just use a really bad one this adds an additional
step to impersonate you.

~~~
gizzlon
Yeah, but you can log-in with private keys instead of passwords, so that
problem was solved a long time ago.

------
eslachance
This is great but one thing bugs me. When you add a new user, you have to
restart SSH? Wouldn't that prevent people from connecting every time a new
user is added?

~~~
dcu
Even if you restart the ssh server it won't prevent people from connecting to
the server because SSH forks the clients.

~~~
eslachance
Ah, that clears it up. Thank you!

------
peacetara
What about two-factor authentication for sudo? I'd rather start my users off
with sudo 2 factor auth, and grow them into two-factor auth for ssh and other
stuff.

------
bbromhead
Fairly certain port forwarding still works while a command specified in
ForceCommand is still running or if you specify a non-interactive shell.

Though I haven't checked ;)

------
darklajid
I added support for yubikey to my installation. That thing's always on my
keychain and can be used as second factor or otp generator (or both).

------
amirmansour
This is awesome. I wish the people at Authy the best. Now I'm gonna 2-factor
auth the hell out of everything.

------
jfaucett
yes exactly what I've been looking for, awesome tool! Thanks for sharing.

------
msie
I can't wait until three-factor authentication!!!

------
SanjayUttam
Great idea

------
raffpaquin
Simple and great idea

