Using SFTP with google-authenticator

[ThomasHabets]

Original issue 289 created by ZhangKPC on 2013-07-29T22:21:52.000Z:

What steps will reproduce the problem?

1. Using an SFTP application such as FileZilla, attempt to login using username/password.
2. Password will be denied.

What is the expected output? What do you see instead?
Successful login; denied password instead.

What version of the product are you using? On what operating system?
Latest version on CentOS 6 64bit.

Please provide any additional information below.
Is there a way to disable authenicator for port 22 (SFTP) or even better, have an application-specific password?

[ThomasHabets]

Comment #1 originally posted by James.R.Kung on 2013-09-26T05:43:03.000Z:

Disabling Authenticator for port 22 will disable one of its primary purposes. (Securing your account over SSH). Why not just create a user account soley for sFTP which does not use Google Authenticator?

[ThomasHabets]

Comment #2 originally posted by ZhangKPC on 2013-09-26T05:44:35.000Z:

Thanks. How would I modify my files to do this?

[ThomasHabets]

Comment #3 originally posted by t.kuntzsch on 2013-10-15T17:19:49.000Z:

You can ignore the google auth for all user of a group, in my case sftpusers.

--- /etc/pam.d/sshd ---
...
#Google Authenticator
auth [default=ignore success=1] pam_succeed_if.so quiet user ingroup sftpusers
auth required pam_google_authenticator.so

[ThomasHabets]

Comment #4 originally posted by layanto@yahoo.com on 2014-02-18T01:00:45.000Z:

I am a newbie to Linux land so my suggestion maybe completely off the mark. Is it possible to have google authenticator PAM to expect password which is concatenation of password and OTP?
So when a user logs in either via ssh or SFTP, enter username, enter password (concatenation of password and OTP). Then google authenticator pam strips the last 6 characters of the password and checks OTP as it is currently doing. If checks passes, then pass the password (minus the last 6 characters) into the UNIX PAM to check password against shadow. As such, both ssh and SFTP will only ask for one password, even though technically they are two passwords in one. Maybe then Filezilla as SFTP client will work with two factor authentication?

Please advise.

[ThomasHabets]

Comment #5 originally posted by dominikruf on 2014-07-09T20:34:25.000Z:

I like this idea

[ThomasHabets]

Comment #6 originally posted by dominikruf on 2014-07-10T19:34:58.000Z:

@laya
I just found out there is already an option for this
simply add forward_pass to you pam configuration

auth required pam_google_authenticator.so forward_pass

more details yre here
https://code.google.com/p/google-authenticator/source/browse/libpam/README# 73

[ThomasHabets]

Comment #7 originally posted by dominikruf on 2014-07-21T17:29:00.000Z:

OK it was a bit more complicated
but now I am able to use sftp with nautilus.

1. I added

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

to /etc/pam.d/sshd and removed the "@include common-auth" line
because common-auth didn't use "use_first_pass".
2. Sadly this was not enough because nautilus doesn't like it when the password prompt asks "Password & verification code: " instead of just "Password: ".
So I replaced the according string in the sources and recompiled it. (pam_google_authenticator.c line 1407)

Now I can open a sftp url in nautilus when I enter my password and the verification code.

[ThomasHabets]

Comment #8 originally posted by delicadosecreto on 2014-07-30T05:49:23.000Z:

Dominic,

I find this particular issue very interesting, If we create a new user group for without auth the system will be vulnerable as if there was no auth for any users. I don't use FTP since it is very insecure, SFTP is the only solution. In this particular situation, if changes needs to be done, the source needs to be updated.

I would appreciate if you can elaborate on your "workaround" in the form of a Tutorial, because more than one people have this problem and needs proper guidance, myself included. I've landed in this page because I imagined that I would have this problem if I used google-authenticator and SFTP for my server.

Thank you,

[ThomasHabets]

Comment #9 originally posted by delicadosecreto on 2014-07-30T07:58:58.000Z:

Ok, I just took a leap of faith and I got it to work. After a few purges of the SSHd from the terminal console.
Here is what I did (mini tutorial).
Following the instructions of Dominik:

Starting from the scratch:
For Debian 7:

# apt-get install build-essential libpam0g-dev libpam0g make
# mkdir auth
# cd auth
# wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# tar -xf *.bz2
# cd libpam-google-authenticator-1.0
# nano Makefile

Add LDFLAGS="-lpam" after the line ”VERSION := 1.0“ and save

# nano pam_google_authenticator.c

Look for line 1407 and then edit  "Password & verification code: " with "Password: " and save

# make
# make install
# cd ..
# rm -r ./auth
# google-authenticator

Type “y” to all unless you want other options, and save the secret key. (You may use your cell phone). Write down the emergency scratch just in case.

# nano /etc/pam.d/sshd

Look for the line almost at the top of the file "@include common-auth" and remove it.
Then at the end of the file add:

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
Save the file

# service ssh restart

Everything is ready you may logout to check the new configuration.

The new syntax for the password will be: [password][Verification Code]
For example you have the password “password” and your cell phone indicates the Verification Code 119988 the new password will be: password119988

[ThomasHabets]

Comment #10 originally posted by dominikruf on 2014-07-30T19:16:02.000Z:

Sorry if my explanation was not enough.
I guess it is good to have all the steps written down in one place.

[ThomasHabets]

Comment #11 originally posted by shellsterdude on 2014-08-17T07:35:54.000Z:

Thanks delicado, your directions worked perfectly for me except for a couple things (debian wheezy):

1. I didn't need to add the LDFLAG line (it looks like this is added in the latest release).
2. The current make file is broken, you need to add an endif right near the top after: ifeq ($(origin CC), default)
   CC := gcc

[ThomasHabets]

This issue was moved to google/google-authenticator-libpam#24