More and more of my life is hidden behind a password, however a single point of failure is not desirable. Therefore I’ve activated two-factor authentication for almost every service I use, including my own servers.
Using Google Authenticator on my iPhone, someone nasty now needs both a knowledge (e.g. a password) and a possession (e.g. my mobile phone) to access my accounts. For my home servers [plural…] I’ve started to use
libpam-google-authenticator to boost my security. For normal use, public key authentication is adequate for securing my home media and backups. However, occasionally I want to access my machines from a different location, such as a friend’s computer. The simple solution would be to re-enable password authentication, but I prefer to keep my log-files small. Two-factor authentication is the solution.
I have two servers at home, one running Debian 6 (Squeeze) and another running Debian 7 (Wheezy), and these instructions work for both.
# apt-get install libqrencode3
libpam-google-authenticatorfrom the Debian Web-site, and install it using
# dpkg -i $file.deb
- Modify your
PasswordAuthentication yesare both enabled
- At the end of
/etc/pam.d/sshdput the line
auth required pam_google_authenticator.so
# service ssh restart
Now you’ll have
libpam-google-authenticator installed on your server, but by default you can login without using it. To enable it, login as a normal user and type
google-authenticator, where you’ll see the following:
Although don’t run Google Authenticator as
root—it’s a silly idea to enable remote root logins…
Proceed through the questions—I went with yes, yes, no and then yes—then scan the code with your Google Authenticator App and make a note of your emergency scratch codes. If you ever need to see the codes again, you’ll find them in
Now whenever you login using password authentication,
libpam-google-authenticator will proceed to ask you for a verification code from your iPhone. To test this (assuming you have public key authentication enabled) try to login by disabling public key authentication (e.g.
ssh email@example.com -o PubKeyAuthentication=false).
Thanks to highball.se and Francis Tang for their articles on this topic.