With the introduction of Google Authenticator and the ability to use it with ssh I was wondering if someone has gone through a sshd_config setup which would
- first expect a key
- if this fails, fall back to an authentication with Google Authenticator
The idea being to usually connect seamlessly with a key and, usually in less friendly environments, connect with a two factor mechanism.
Yes, I have a setup where I can
ssh
to my server using public key authentication, with a fallback to two-factor authentication with Google Authenticator + password when my private key is not available. These are the steps you can use to set it up.Installing Google Authenticator
My server is running Ubuntu Bionic Beaver (18.04.1). You can install Google Authenticator using
apt
:Configuring sshd
Open
/etc/pam.d/sshd
and add the following line at the top:Open
/etc/ssh/sshd_config
and change one line. The existing line isand you should change it to
Configuring Google Authenticator for Your Account
The next step is to turn on Google Authenticator for your account. You do this by simply running:
Make sure you run this as the user who will be making ssh connections, not root. Make a note of your new secret key and your emergency scratch codes. The wizard will ask you several questions to configure the security settings for your account.
Configuring Your Mobile App
I use the Google Authenticator app for iPhone. This app has a [+] button that allows me to add a new Time Based Token using the secret key I obtained from the
google-authenticator
command on my server. It was trivial to set up. I can't help you with apps on any other platform, but I imagine the process is equally simple.Pulling the Trigger
The last thing you need to do is restart
sshd
.At this point, when you try to connect to the server when your private key is available, authentication just works. When your private key is not available, you will get a prompt for a verification code, then your account password.
Bingo, two-factor authentication.