| | 71 | |
| | 72 | == Two Factor Authenticating == |
| | 73 | We will enable two factor authentication in out ubuntu server. To implement that we are going to use multifactor authentication with Google Authenticator. |
| | 74 | |
| | 75 | === Google auhtenticator === |
| | 76 | - Install Google Authenticator from following link in your Android device/iPhone/iPad/BlackBerry/Firefox devices |
| | 77 | {{{ |
| | 78 | https://support.google.com/accounts/answer/1066447?hl=en |
| | 79 | }}} |
| | 80 | - Follow the instruction and install the app in your mobile. |
| | 81 | - Or you can search for google-autheticator in Google Play or Apple Store. |
| | 82 | |
| | 83 | === Create an Authentication Key === |
| | 84 | - Go to the Ubuntu VM |
| | 85 | - Install google-authenticator module first: |
| | 86 | {{{ |
| | 87 | sudo apt-get update |
| | 88 | sudo apt-get install libpam-google-authenticator |
| | 89 | }}} |
| | 90 | - Log in as the user you’ll be logging in with remotely and run the google-authenticator command to create a secret key for that user. |
| | 91 | {{{ |
| | 92 | $ google-authenticator |
| | 93 | |
| | 94 | Do you want authentication tokens to be time-based (y/n) y |
| | 95 | }}} |
| | 96 | - You will get some QR code ouput like bellow: |
| | 97 | |
| | 98 | |
| | 99 | You will be prompted for some configurations. |
| | 100 | - Scan the QRcode that appears with the Google Authenticator app or you can add the secret key Google Authenticator app. |
| | 101 | - Save the backup codes listed somewhere safe. They will allow you to regain access if you lose your phone with the Authenticator app. |
| | 102 | - Next it will ask several question; unless you have a good reason to, the defaults presented are sane. Just enter "y" for them. |
| | 103 | {{{ |
| | 104 | Do you want me to update your "/home/fakrul/.google_authenticator" file (y/n) |
| | 105 | Do you want to disallow multiple uses of the same authentication |
| | 106 | token? This restricts you to one login about every 30s, but it increases |
| | 107 | your chances to notice or even prevent man-in-the-middle attacks (y/n) |
| | 108 | By default, tokens are good for 30 seconds and in order to compensate for |
| | 109 | possible time-skew between the client and the server, we allow an extra |
| | 110 | token before and after the current time. If you experience problems with poor |
| | 111 | time synchronization, you can increase the window from its default |
| | 112 | size of 1:30min to about 4min. Do you want to do so (y/n) |
| | 113 | If the computer that you are logging into isn't hardened against brute-force |
| | 114 | login attempts, you can enable rate-limiting for the authentication module. |
| | 115 | By default, this limits attackers to no more than 3 login attempts every 30s. |
| | 116 | Do you want to enable rate-limiting (y/n) |
| | 117 | }}} |
| | 118 | |
| | 119 | === Enable two factor authentication for SSH === |
| | 120 | - Edit the /etc/pam.d/sshd file |
| | 121 | {{{ |
| | 122 | sudo vi /etc/pam.d/sshd |
| | 123 | }}} |
| | 124 | - Add the following line: |
| | 125 | {{{ |
| | 126 | auth required pam_google_authenticator.so |
| | 127 | }}} |
| | 128 | - ''':wq''' Save and quit. |
| | 129 | - Edit /etc/ssh/sshd_config file |
| | 130 | {{{ |
| | 131 | sudo vi /etc/ssh/sshd_config |
| | 132 | }}} |
| | 133 | - Search for '''ChallengeResponseAuthentication''' and replace no with yes |
| | 134 | {{{ |
| | 135 | ChallengeResponseAuthentication yes |
| | 136 | }}} |
| | 137 | - ''':wq''' Save and quit. |
| | 138 | - Now you need to reload the ssh service. You can do it to way: |
| | 139 | {{{ |
| | 140 | sudo service ssh restart |
| | 141 | }}} |
| | 142 | |
| | 143 | === Login to the server === |
| | 144 | Try to ssh to the server from a new terminal. It will ask for the verification code. |
