Skip to content

Instantly share code, notes, and snippets.

@k5njm

k5njm/Google2FA.md

Last active April 25, 2017 19:56
Show Gist options
  • Save k5njm/57f57c0755f84a42f422663758d98c8d to your computer and use it in GitHub Desktop.
Save k5njm/57f57c0755f84a42f422663758d98c8d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Google2FA.md

Using 2FA from Google-Authentication with SSH

Including access list to prevent 2FA for specified IP ranges

Some guides

Install the Google Authenticator tool:

For Ubuntu:

sudo apt-get install libpam-google-authenticator

Docs: https://github.com/google/google-authenticator-libpam

Run google-authenticator

> google-authenticator

Follow prompts. When complete, you'll have your secret key in ~/.google_authenticator

Configure PAM

In /etc/pam.d/sshd add:

# skip one-time password if logging in from the known network                    
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth       required     pam_google_authenticator.so

and comment out:

# Standard Un*x authentication.
#@include common-auth

Create the ACL

Create /etc/security/access-local.conf:

 # only allow from specified IPs  and range                                                 
   2 + : ALL : 10.0.1.1/24 #My local network                                                          
   3 + : ALL : **XXX.XXX.XXX.XXX** #My home IP                                                         
   4 + : ALL : LOCAL                                                                  
   5 - : ALL : ALL

Configure SSHD

In /etc/ssh/sshd_config add/modify so that:

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment