Two-factor-authentication

From aldeid
Jump to navigation Jump to search

Description

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Client

Google Authenticator

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

oathtool (CLI)

Description

Generate and validate OATH one-time passwords.

Usage

Usage: oathtool [OPTIONS]... [KEY [OTP]]...
-h, --help
Print help and exit
-V, --version
Print version and exit
--hotp
use event-based HOTP mode (default=on)
--totp
use time-variant TOTP mode (default=off)
-b, --base32
use base32 encoding of KEY instead of hex (default=off)
-c, --counter=COUNTER
HOTP counter value
-s, --time-step-size=DURATION
TOTP time-step duration (default=`30s')
-S, --start-time=TIME
when to start counting time steps for TOTP (default=`1970-01-01 00:00:00 UTC')
-N, --now=TIME
use this time as current time for TOTP (default=`now')
-d, --digits=DIGITS
number of digits in one-time password
-w, --window=WIDTH
window of counter values to test when validating OTPs
-v, --verbose
explain what is being done (default=off)

Server

Protect your SSH access with 2 factor authentication

Installation

From packages, just issue: 

# aptitude install libpam-google-authenticator

If a package is not available for your distribution yet (e.g. Debian Stable "wheezy"), you can install it manually: 

# aptitude install libpam0g-dev git-core
# git clone https://code.google.com/p/google-authenticator/
# cd google-authenticator/libpam/
# make install

Then add the pam module to the supported authentication modules: 

# echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
# sed -i "s/ChallengeResponseAuthentication\ no/ChallengeResponseAuthentication\ yes/" /etc/ssh/sshd_config

Once this is done, log in as the user who will connect via SSH and start google-authenticator: 

$ google-authenticator

You will be prompted to answer some questions: 

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/me@myserver%3Fsecret%ABCDEFGHIJKLMNOPQR
Your new secret key is: ABCDEFGHIJKLMNOPQR
Your verification code is 123456
Your emergency scratch codes are:
  12345678
  01234567
  81234567
  13245873

Do you want me to update your "/home/me/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Once done, restart the ssh service: 

# service ssh restart

Next time you will connect, you will be asked your standard password and the 2 factor code: 

$ ssh [email protected]
Password:
Verification code:


Comments

Keywords: two-factor authentication oathtool google-authenticator libpam-google-authenticator






Retrieved from "https://www.aldeid.com/w/index.php?title=Two-factor-authentication&oldid=33746"