I am a big fan of RPi and I allowed one of my RPis (I have 3) to be accessible from the Internet via SSH. But, I was stressed because somebody might do a DoS on my device with the intent to hack into it and this way would prevent me to access it.
So, wanting to secure it, I researched a bit how to enable two-factor authentication for SSH. I don’t want expensive SMS services, actually I don’t want to pay anything at all.
I found some great tutorials on the net, and here is my take on how to enable this great service via Google’s open-source Authenticator.
Google provides the necessary software to integrate Google Authenticator’s (GA) time-based one-time password (TOTP) system. You can couple GA with an SSH server. After this, you’ll have to enter the code from your phone when you connect additional to the username and password.
You will have to use the PAM module which is available in Raspbian’s repository. The PAM module can add a two-factor authentication step to any PAM-enabled application. It supports:
- Per-user secret and status file stored in user’s home directory
- Support for 30-second TOTP codes
- Support for emergency scratch codes
- Protection against replay attacks
- Key provisioning via display of QR code
- Manual key entry of RFC 3548 base32 key strings
Here is how to enable it:
1.Install the lib and the program
# sudo apt-get install libpam-google-authenticator
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
The following NEW packages will be installed:
0 upgraded, 2 newly installed, 0 to remove and 27 not upgraded.
Need to get 56.8 kB of archives.
After this operation, 181 kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://mirrordirector.raspbian.org/raspbian/ wheezy/main libqrencode3 armh f 3.3.0-2 [31.8 kB]
Get:2 http://mirrordirector.raspbian.org/raspbian/ wheezy/main libpam-google-aut henticator armhf 20110413.68230188bdc7-1.1 [25.0 kB]
Fetched 56.8 kB in 0s (102 kB/s)
Selecting previously unselected package libqrencode3:armhf.
(Reading database … 93376 files and directories currently installed.)
Unpacking libqrencode3:armhf (from …/libqrencode3_3.3.0-2_armhf.deb) …
Selecting previously unselected package libpam-google-authenticator.
Unpacking libpam-google-authenticator (from …/libpam-google-authenticator_2011 0413.68230188bdc7-1.1_armhf.deb) …
Processing triggers for man-db …
Setting up libqrencode3:armhf (3.3.0-2) …
Setting up libpam-google-authenticator (20110413.68230188bdc7-1.1) …
2. Start the GA program and set it up
Note that I marked with heading two the answers which I provided to the tool.
Google Authenticator will present you with a secret key and several “emergency scratch codes.” Write down the emergency scratch codes and keep them safe because they can only be used one time each, and they’re intended for use if you don’t have your phone at hand.
Your new secret key is: K4QP6XXXXXXXXJLQ
Your verification code is 280506
Your emergency scratch codes are:
Do you want me to update your “~/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Now comes the interesting part: enable the authentication process.
3. Set up the app on your mobile
Enter the secret key in the Authenticator app on your phone (official apps are available for Android, iOS, and even Blackberry). I personally love the scan barcode feature – go to the URL located near the top of the command’s output and you can scan a QR code with your phone’s camera. After this, you will see the following in your app (here on iOS):
Note that I have two codes. The first one is from Google’s two-factor authentication for their services and the second one is for RPi.
4. Activate GA to work with the PAM module and SSH
Open the/etc/pam.d/sshd file on your system (for example, with the sudo nano /etc/pam.d/sshd command or just use mc) and add the following line to the file:
#auth required pam_google_authenticator.so
Open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line which is set by default to “no”, and change it to “yes”:
Finally, restart the SSH server so your changes will take effect:
#sudo /etc/init.d/sshd restart
Do not close the active ssh window if you have one. If something went wrong then you can quick debug it. Open a new ssh window instead.
5. Test your service
login as: sorin
Using keyboard-interactive authentication.
Using keyboard-interactive authentication.
Verification code: 123456
That’s it. I hope it works out of the box and you can enjoy your Raspberry Pi in safety.
© Copyright 2013 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.