We have been doing some work recently with Amazon Web Services and noticed that it now supports using Google Authenticator for two
factor authentication. For those that don’t know, the Google Authenticator is an application that you install onto your Android or
iPhone which acts like an RSA token, providing a random number that changes every 30 seconds.
When I saw that Amazon had integrated it into AWS it got me thinking that we could use it to secure some of our perimeter Centos hosts
using an SSH PAM module. A little bit of searching showed that this was possible and this post details how it was done.
Install Centos 6.2.
Download the source for the PAM module here.
Unpack the installation running the following command:
Change to the extracted directory and execute the command make install:
Installing the PAM module
Backup the file /etc/pam.d/sshd and add the following lines to it:
Backup the file /etc/ssh/sshd_config and ensure the following lines are present:
Once these changes have been made restart SSH by executing the following command:
Setting up the key for a user
su to the user that you want generate the token for and execute the google authenticator command::
You will notice above that it displayed a secret key and a URL, open the URL and it will show you 3D barcode.
Open the authenticator application and click the Scan Barcode button and scan the barcode from your screen.
You should then see the counter for the application.
Open up a new SSH terminal (such as Putty) to the host and login as the user that created the token above.
Enter the verification code from the Google authenticator.
Enter the users password.
All being well you should be able to login as shown below: