Ubuntu Server - Google Authenticator
- by Vince
-
in Blog
-
Hits: 2464
I ran into an issue while installing Google Authenticator on Ubuntu 18 and although the solution is simple, it's given me an opportunity to discuss three items.
First, the issue:
You attempt to install Google Authenticator using the following:
sudo apt install libpam-google-authenticator
And you're presented with the following error:
E: Unable to locate package libpam-google-authenticator
This is a bug in Ubuntu 18.04.1 which should be resolved when 18.04.2 is released. Universe should be enabled by default but it is not. The solution is simple, add the universe repository using the following:
sudo add-apt-repository universe
Second, installing Google Authenticator which wasn't worth a post on its own since there are a number of articles that do a decent job. But since I'm making two other points... we need to install it:
See above for the installation, now we're going to run:
google-authenticator
You're going to be asked a number of questions, answer Y to all of them (or you could read the questions if you like). When you're presented with the QR code, scan it with the Google Authenticator app on your phone.
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: redacted
Your verification code is redacted
Your emergency scratch codes are:
redacted
redacted
redacted
redacted
redacted
Do you want me to update your "/home/redacted/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
When you finish with the above, you're going to edit:
sudo nano /etc/ssh/sshd_config
Add or change the following lines to match what I have below:
ChallengeResponseAuthentication yes
UsePAM yes
We need to restart SSH:
sudo service ssh restart
One more edit:
sudo nano /etc/pam.d/sshd
At the bottom, add the following:
auth required pam_google_authenticator.so
Do not close your SSH session window!! We want to test our changes prior to losing our current SSH session.
Start a new SSH session, enter your username, password. You should also get prompted for a verification code. Enter the verification code. If you're logged in, all is well. If not, double check the settings from the original session and see where things went wrong.
If you recall from the start of this post, I had three points. My third point is that I frequently hear people say Google Authenticator is dangerous because you can lose your phone and therefore you'll lose your ability to authenticate.
When you started the setup process for Google Authenticator, you were given five emergency codes. If you lose your phone, you can use one of these emergency codes. Though, once you use a code, it becomes inactive. In addition to the emergency codes, you can add Google Authenticator to another devices. You'll have to manually setup each account using the "secret key" but that will give you a second backup in case something should happen to your primary device.