OpenSSH 2FA Google Auth

Page content

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

-> yes
-> scan QR Code with Google Auth App
-> Enter Code from App
-> yes
-> yes
-> yes
-> yes

Give a Try

with SSH Key

$ ssh -l stoege alpine
Welcome to Alpine!

alpine:~$ 

without SSH Key

$ ssh -o PubkeyAuthentication=no -l stoege alpine
(stoege@alpine) Verification code: 123456
(stoege@alpine) Password: 
Welcome to Alpine!

alpine:~$

… and it works ! If i offer a public Key, i can login with the Key. Otherwise, i need Password & Google Auth as 2nd Factor. Nice :)

Config File

alpine:~$ cat .google_authenticator 
PWZ7XXXXXXXXXXXXXXXXXXXXXX
" LAST0 XXX.XXX.XXX.XXX 1659XXXXXX
" RATE_LIMIT 3 30 1659XXXXXX
" WINDOW_SIZE 17
" DISALLOW_REUSE 55XXXXXX
" TOTP_AUTH
74XXXXXX
13XXXXXX
35XXXXXX
76XXXXXX
71XXXXXX

sha256: 2cd87fbd49bba372a2327643cb8cb9220261908960935980f8e1849abe89b209