I've really been loving Google Authenticator as a method for securing htaccess sites. I was curious if I could put it work in yet another tricky context. Usually, I set sshd on my servers to disallow password entry and rely solely on ssh keys. The problem is, occasionally I'll want to log in from a location where I don't have easy access to my keys. I started wondering how tricky it would be to use Google Authenticator as a backup. That is, if I have a key, use it, otherwise go through the dance of both a password and a one time use Google Authenticator password.
Turns out, it's not particularly tricky at all. Here's what you need to do:
- Install the Google Authenticator package, includes a the appropriate pam module. For me, this was as easy as running: sudo yum install google-authenticator.
- Setup up your .google_authentactor file and cell phone, as described here.
Edit /etc/pam.d/sshd and set the first two lines to be:
#%PAM-1.0 auth required pam_google_authenticator.so
- Edit /etc/ssh/sshd_config and make sure the following are setup:
ChallengeResponseAuthentication yes UsePAM yes PasswordAuthentication yes
- Restart sshd
Now, when I ssh with keys (or an agent), I get in as usual. But, if I don't have keys, it kindly prompts me for the one Google Authenticator code and my regular regular password.
Amazingly slick, if I do say so myself.