The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TwoFactor SSH using Google-Authenticator

Discussion in 'Workarounds and Optimization' started by morgz, Aug 6, 2016.

  1. morgz

    morgz Registered

    Joined:
    Jul 17, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    California
    cPanel Access Level:
    Root Administrator
    If you want paranoia hardening, you can add TwoFactor SSH using Google-Authenticator.
    Not only would someone require your ssh-key but also a time-based verification code.

    Disclaimer: To help not lock yourself out while setting this up.
    • Maintain a separate root sshd connection (worst-case scenario life-line).
    • Add a temporary non-2fa admin/root access account
    • Do not restart the server only restart the sshd service
    • Double check your changes and do not foul up the context or you might lock yourself out
    • Do not hold cPanel Inc or myself responsible or damages in result of locking yourself out
    Step One - Install Dependencies
    Depending on which operating system your using:

    CentOS: You'll have to compile google-authenticator to get the .so, so you'll need to google the instructions for that.

    However if your running Ubuntu it's as easy as:
    Code:
    sudo apt-get install libpam-google-authenticator
    libqrencode3 will be installed automatically and will allow you to use the camera of your phone to scan the qr-code directly from the console.

    • Install Google-Authenticator on your mobile device, and
    • WinAuth on your desktop if you so choose to have a backup


    Step Two - Edit the Configuration Files
    To use the module you have to edit two configuration files.

    Code:
    nano /etc/pam.d/sshd
    Add the following line on top of the file:
    Code:
    auth required pam_google_authenticator.so
    I had to use this entry, however this will enforce requirements: ssh-key and 2FA code only:
    Code:
    auth       [success=done new_authtok_reqd=done default=die]     pam_google_authenticator.so nullok
    • [success=done new_authtok_reqd=done default=die] means don't ask for a password, I had to have this otherwise it wasn't asking for the verification code.
    • "nullok" means if the user has not set up google-authenticator on their account to bypass google-authenticator.

    One more file to edit:
    Code:
    nano /etc/ssh/sshd_config
    Find and change the following line:
    Code:
    ChallengeResponseAuthentication yes

    Step Three - Activate the Two-Factor Authentication For a User
    You can activate the google-authenticator for the root user or any other user. Switch to the user who should use the two-factor authentication and type in:

    Code:
    google-authenticator
    You will be prompted to answer a few questions; answer the first two questions with yes (y):

    Do you want authentication tokens to be time-based (y/n) y
    Do you want me to update your "/home/USERNAME/.google_authenticator" file (y/n) y
    You can answer the next questions according to your needs.

    You can use the Google Authenticator app to scan the qr-code, or add the account using the secret key and the verification code. Do not forget to print out the emergency scratch codes and store them in a safe place!


    Switch back to root and restart the SSH service. If you added the two-factor authentication for the root user you can skip the next step.

    Code:
    sudo su root
    Finally restart the SSH service:
    Code:
    CentOS: systemctl restart sshd
    Ubuntu: service sshd restart
    Make sure you test both authentication fails and successes before closing your emergency life-line connection.
    Everything working as expected be sure to close your temporary admin account.

    Time to break out the tin foil hats! You now have a ultra secure SSH at a paranoia level.
    Just don't lose access to your phone.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Thank you for taking the time to provide us with your custom workaround. I've moved this thread to our "Workarounds and Optimization" forum. Also, I've responded to your inquiry about editing threads via our forum's private messaging system.

    Thanks!
     

Share This Page