Mac OSX ssh login with Google Authenticator

swmoon203 edited this page Jan 23, 2014 · 6 revisions

https://code.google.com/p/google-authenticator/

You need xcode installed or command line tool installed

1. Download source & unpack

https://code.google.com/p/google-authenticator/downloads/list

2. Make & Install

mini:~ user$ cd libpam-google-authenticator-1.0
mini:libpam-google-authenticator-1.0 user$ sudo make install
mini:libpam-google-authenticator-1.0 user$ sudo cp pam_google_authenticator.so /usr/lib/pam

3. Config SSH

/etc/pam.d/sshd

  1. Make backup file
  2. Add line auth required pam_google_authenticator.so

/etc/sshd_config

  1. Make backup file
  2. Change #ChallengeResponseAuthentication yes to ChallengeResponseAuthentication yes

4. Setup google-authenticator

mini:~ user$ google-authenticator 

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@mini.local%3Fsecret%3DABCDEFGHIJKLMNOP
Your new secret key is: ABCDEFGHIJKLMNOP 
Your verification code is 000000
Your emergency scratch codes are:
  00000000
  00000000
  00000000
  00000000
  00000000

Do you want me to update your "/Users/user/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
mini:~ user$ 

5. Restart SSH

mini:~ user$ sudo launchctl unload  /System/Library/LaunchDaemons/ssh.plist
mini:~ user$ sudo launchctl load  /System/Library/LaunchDaemons/ssh.plist
mini:~ suer$ 

6. Google Authenticator App

  1. Add Entry

img_0255 2. Select Manual Entry

img_0256 3. Type secret key into Key ex) Your new secret key is: ABCDEFGHIJKLMNOP

7. Test

MacBook-Pro:~ user$ ssh 10.0.0.6
Password:
Verification code: 
Last login: Wed Jan 22 19:57:39 2014 from 10.0.0.114
mini:~ user$ 

http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.