[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Google two-factor authentication not working on my Ubuntu 14.04 LAMP server

Posted on 2014-08-13
22
Medium Priority
?
1,795 Views
Last Modified: 2014-08-17
Hi,
I have a Ubuntu 14.04 x64 server and I followed all your steps.
Since I have only one user on my server (I have disabled root login) and I already do an SSH login with that username, I ran the google-authenticator command logged in as user lupocatttivo@octane (lupocatttivo = username, octane = machine name):
lupocatttivo@octane:~$ google-authenticator

Open in new window


The only change I made is to the command: /etc/init.d/ssh restart
I used sudo service ssh restart instead as the above command did nothing (with or without "sudo" in front of it).

The procedure seemed to run smoothly, including the qr code generation etc. Then I rebooted the server and when asked to login I entered the username "lupocatttivo" and it logged in as usual without asking me any other code or pasword:

login as: lupocatttivo
Authenticating with public key "my-home-pc"
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.15.4-x86_64-linode45 x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Thu Aug 14 02:20:31 2014

Open in new window



What am I doing wrong? Any help would be appreciated.

Thanks in advance
0
Comment
Question by:badwolfff
  • 11
  • 11
22 Comments
 

Author Comment

by:badwolfff
ID: 40261658
I found this article which, although slightly outdated, seems to be saying that what I am trying to do - make ssh key based authentication and google two-factor authentication to work together - is impossible?:

https://code.google.com/p/google-authenticator/issues/detail?id=40

Please someone comment. Has no one had any similar problem?
Entering into my server without the private key is impossible but if that got stolen it is easy.
I wanted to have that level of protection and add a second layer on top by inserting a google authenticator code.
Together it would be impossible for someone to get in.

If this is impossible, are there any other suggestions to create a two factor-authentication using any other reliable method that might work on Ubuntu 14.04 and work alongside SSH Key-based authentication?

thanks in advance
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40262737
Did you register yourself for the Ubuntu 2 factor authentication beta test?

According to this article: https://help.ubuntu.com/community/SSO/FAQs/2FA you need to register yourself for the beta test here: https://launchpad.net/~sso-2f-testers
0
 

Author Comment

by:badwolfff
ID: 40262741
Hi,
No I did not register but I don't see any direct connection between registering on a forum and having a software behave on a server. Plus on the website you indicate the description starts with:

"Two factor authentication increases computer security further than just a user name and password. In addition to a password (the first factor) you need something else in order to access a system. "

If I am not mistaken, it means the first layer is comprised of login + password and the second is Google authentication.
There is no mention at all of any compatibility with SSH public key authentication.

Please correct me if I am wrong.

thanks again
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40262749
>> Please correct me if I am wrong.
I will do some testing as well and let you know.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40263365
You're right, registration is not needed. I've configured a VM with Ubuntu 14.04 and then did the following:

$ sudo apt-get install libpam-google-authenticator
$ google-authenticator
( answered all questions with Yes, scanned the QR code with my phone that has the Google Authenticator app installed, added gerwin@ub1404test)

Installed lightdm through Ubuntu Software Center (for testing).

# cd /etc/pam.d
# vi lightdm
( added: auth required pam_google_authenticator.so nullok )

Restarted and logged on with user and password, then got prompt for authentication code, looked up the current code on my phone and the logon worked.

For ssh I had to change 2 things:

# cd /etc/pam.d
# vi sshd
( added: auth required pam_google_authenticator.so)
# cd /etc/ssh
# vi sshd_config
( edited: ChallengeResponseAuthentication yes )

# service sshd restart

The tried logging in with PuTTy to the VM Ubuntu machine which worked:

2 factor authentication in Ubuntu 14.04
Note that if you leave out the nullok at the end of the auth config line then the users must use 2 factor authentication.
0
 

Author Comment

by:badwolfff
ID: 40263996
Hi Gerwin,

thanks for going through all this trouble for me!

So let me get this straight.

1.

I don't see that from your screenshot so I am assuming you got the SSH public key auth working together with Google Two-Factor Authentication. Am I right?

2.

If yes, then did you get asked first the login, then the password and then the google auth code, or just the login and the google auth key?
I ask this as on my box I have passwordauthentication turned to OFF at the moment. Do I need to turn it on?

3.

May I review the procedure for you to confirm?:
$ sudo apt-get install libpam-google-authenticator
$ google-authenticator
Answered all with yes, scan code with iPhone Google Auth app

# cd /etc/pam.d
# vi lightdm
insert into it:
auth required pam_google_authenticator.so nullok

# cd /etc/pam.d
# vi sshd
insert into it:
auth required pam_google_authenticator.so

# cd /etc/ssh
# vi sshd_config
change to:
ChallengeResponseAuthentication yes
# service sshd restart

Sorry about the pedantic, long-winded question but I can hardly believe you managed to do it. On two other fora I had no success, I even wrote to google and tried to search everywhere for an answer. If you could please confirm all of the above, I can get down to it straight away :D

thanks again
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40264133
>> thanks for going through all this trouble for me!
No problem at all ;)

>> I don't see that from your screenshot so I am assuming you got the SSH public key auth working together with Google Two-Factor Authentication. Am I right?
No, I did not setup ssh public keys yet, I'll give it a go. The screenshot shows that I'm keyboard-interactive authentication, so I'm just typing the password. And the verification code after that (Google Authenticator).

>> I have passwordauthentication turned to OFF
Where did you turn that off exactly?

>> May I review the procedure for you to confirm?:
- Your iPhone is my Android device
- The 2 inserts - I just added the lines at the end of the 2 config files.

Going to setup ssh keys, get back to you after that.
0
 

Author Comment

by:badwolfff
ID: 40264144
sudo nano /etc/ssh/sshd_config

PasswordAuthentication no
PermitRootLogin no


My settings are as above

thanks again
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40264247
Hmm, with ssh keys setup, I also get no prompt for the verification code. Found a sample (same forum you looked probably) with OATH and Google 2FA - did not get this to work yet with ssh-keys and 2FA. Will do some more investigating. For now, using keyboard-interactive, I get the 2FA and for the GUI login in Ubuntu. Not for ssh keys (yet).
0
 

Author Comment

by:badwolfff
ID: 40264294
There you are! This however does not correspond with so many online tutorials! Either most people are just talking through their hats and this doesn't work or it is time someone found out how :)

thanks
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40264789
Did some more testing, got a configuration that lets met use ssh keys together with password + verification code. Not ssh keys + verification code only. Manual off sshd_config says that there must be a possibility by using AuthenticationMethods (which I used for the test above):

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5

Think that I have to configure the pam for google-authenticator like this:

AuthenticationMethods publickey,keyboard-interactive:pam

where the pam must refer to the google-authenticator.

I did not manage to get this working as of yet.
0
 

Author Comment

by:badwolfff
ID: 40264799
Thanks
The damn problem is that in theory it should work...
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40264898
Correct, found a guy that claims it is working, not much different with what I've tried sofar but doesn't work (for me).
0
 

Author Comment

by:badwolfff
ID: 40264937
Is it different from what we've been doing?
It seems he's added a couple more params in the config file like:

PermitEmptyPasswords no
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

and also in in /etc/pam.conf he's specified the .so path more precisely
sshd    auth required          /ec/lib/security/pam_google_authenticator.so

I'll try this out too, perhaps his details make the differnece.
Compare notes later?

thanks
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40265011
I've tried the setting in pam.conf (with the correct path) and the other parameters as well, no effect. I'll see if I can find some help from OpenSSH, or maybe just try the same setup with Fedora.
0
 

Author Comment

by:badwolfff
ID: 40265159
Yes you are right. I tried it just now too and the damn SSH key bypasses all other types of authentication.
In fact I even set passwordAuthentication to yes and rebooted the server, but still no password was asked.
Instead when I start putty, If I try to login as a user that does not have an SSH Key (for example, root user, even though in my case the root login is off), then I get asked password as well as the google key (with or without passwordAuthentication set to off). Of course, since my root user is disabled, I get asked all this but then it fails.
So I don't know if my experiments add anything to yours but that's what I found out.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40266373
I've tested on Fedora (20) as well, same issue there. It looks to me like these are the possibilities:
(with google authenticator enabled)

1 - (password + verification code)
2 - ssh keys
3 - ssh keys + (password + verification code)

I'm thinking (opinion) that option 1 would give you perfect 2 factor authentication whereas option 3 would be a bit 'too much'. Your desired option would be this:

4. ssh keys + (verification code)

For option 4 I've been doing some investigation and found no working solution sofar even where the OpenSSH documentation mentions that with the option AuthenticationMethods this combination can be used: publickey,keyboard-interactive:pam - the issue is that keyboard-interactive automatically means password the way I understand it.

Did you do some further testing? What are your thoughts on this? I'd like to know if that 4th option is possible but that would require posting questions at google or OpenSSH to gather details, this will take some time (tbd).
0
 

Author Comment

by:badwolfff
ID: 40266392
Thank you so much for all your effort. I wrote to google but got no reply. I have come across an equivalent alternative. If you are available we could both test and see if that works:
https://www.digitalocean.com/community/tutorials/how-to-install-authy-and-configure-two-factor-authentication-for-ssh

The basic modus operandi is similar. Also since I use winscp as ftp I believe, or so it appears, that there might be a solution for logging into the sftp even with this second-factor auth: https://github.com/authy/authy-ssh#scp-mosh-and-git-push-with-two-factor-authentication

I think I will test it tomorrow when I get back in office. If you, in the meantime, would like to give it a whiz since you already have the environment all setup, by all means please do so. It would be great to find out if this works.

As per the last test you did, of all the combinations I tried the only ones I could manage to make work were:
1. SSH key and nothing else
2. Password + google authcode

I never got it to work as SSH KEY + PASSWORD + GOOGLE AUTH CODE. When I had the ssh public key active, with our without password set as active Putty still bypassed all other forms. Did you have different results? I say so only because, eventhough it might be overkill, if it worked it would be great. It'd be like having a three-factor auth then. Any ideas?
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40266400
I never got it to work as SSH KEY + PASSWORD + GOOGLE AUTH CODE. When I had the ssh public key active, with our without password set as active Putty still bypassed all other forms. Did you have different results? I say so only because, eventhough it might be overkill, if it worked it would be great. It'd be like having a three-factor auth then. Any ideas?
Will post you the details of my setup later today.
0
 
LVL 38

Accepted Solution

by:
Gerwin Jansen, EE MVE earned 2000 total points
ID: 40266486
To get SSH KEY + PASSWORD + GOOGLE AUTH CODE working, I did the following:

- Generate ssh keypair on desktop (Win7) using puttygen - copied public key to ~/.ssh/authorized_keys (on Ubuntu and Fedora) - used pageant to load private key
- Created a new session in PuTTY and selected private key under Connection-SSH-Auth. Left default settings "Display pre-authentication ... ", "Attempt authentication using Pageant" and "Attempt keyboard-interactive ..."

- Installed google-authenticator (on Ubuntu and Fedora) and configured under my username (so I've got 2 entries in the authenticator app)
- Made changes to /etc/ssh/sshd_config:
    ChallengeResponseAuthentication yes (instead of no)
    AuthenticationMethods publickey,keyboard-interactive:pam (line added - with or without :pam - no difference)
- Made change to /etc/pam.d/sshd:
    auth required pam_google_authenticator.so (line added)
- Made sure ntp is working (time needs to be synced)
- Restarted ssh daemon:
    service sshd restart
- Started pageant, loaded private key (enter password for key)
- Connected using new PuTTy session created above:
Using username "gerwin".
Authenticating with public key "rsa-key-for-testing" from agent
Further authentication required
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:
Last login: Sun Aug 17 15:06:24 2014 from www.xxx.yyy.zzz
[gerwin@localhost ~]$

Open in new window

This is option 3.

To add option 1 as a possible way of authenticating, I changed this line:

AuthenticationMethods publickey,keyboard-interactive keyboard-interactive
(restart sshd again)
0
 

Author Comment

by:badwolfff
ID: 40266809
Yes, o god yes! It works! :)
You are a genius!
Thanks for your persistence!
0
 

Author Comment

by:badwolfff
ID: 40266813
For the sake of everyone else's benefit, neither of us got the two-factor auth working for SSH Key + Google code.
As I have it now, it is a three-factor authentication, perhaps even more secure than any other possible combination:
ssh public key + google auth code + password.

In addition to Gerwin's notes whosoever desiring to achieve the same results, should follow the tutorial here:
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication

Should anyone manage the SSH key + google auth (without password) please write here as I remain curious.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month18 days, 6 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question