• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Secure SSH - Two step verification

Szafi

Szafi

www.rookwar.pl
Joined
Mar 2, 2009
Messages
165
Reaction score
10
Location
Poland
Hello.
How to create two step ssh authentication in your dedicated Server or VPS.

weryfikacja.png

ssh.gif


Lets go!


Code: 
cd /root
Code: 
apt-get update
Code: 
apt-get upgrade
Code: 
apt-get install libpam0g-dev make wget
Code: 
cd /root
Code: 
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Code: 
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2
Code: 
cd libpam-google-authenticator-1.0
Code: 
make
Code: 
make install
Code: 
nano /etc/pam.d/sshd

add on end line
Code: 
auth required pam_google_authenticator.so

save file and
Code: 
nano /etc/ssh/sshd_config
next search
Code: 
ChallengeResponseAuthentication no
and change to
Code: 
ChallengeResponseAuthentication yes
Code: 
/etc/init.d/ssh restart

How to config?
run
Code: 
google-authenticator
and ansfer on more questions.

If you have answered all questions program print example message:

Code: 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@twojhost%3Fsecret%3DTEST
Your new secret key is: SEKRETNY KLUCZ
Your verification code is KOD WERYFIKACYJNY
Your emergency scratch codes are:
123
456
789
123
123
423

Next download on Apple Store or Google Play program "Google Authenticator":
Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
Apple Store: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

If you install program on telephone please scan code (look up "example message" line number 2 paste url adress in web Browser)
(IOS 8.x)
3.PNG

End ;) If tou have more user's on serwer please login to user use command: su user (example "su theforgottenserver") and run
Code: 
google-authenticator
to configure key on theforgottenserver user. You will have to re-answer questions and scan new QR code to theforgottenserver user.

DONE! :)

This is my first tutorial and im from Poland. Sorry for my weak language. Please comment, rate and .... more :x

Szafi (Old Sessam).
 
Last edited:
Nice tutorial!

However it looks like your screwed if you dont have one of those new fancy smart phones unless there is some alternative.
 
dominique120 said:
Nice tutorial!

However it looks like your screwed if you dont have one of those new fancy smart phones unless there is some alternative.
Click to expand...
Alternative for "google-authenticator" is sending SMS to your telephone number. Message contains a random code to login on your serwer but you pay for each sms. I have SMS solution if password is wrong. Serwer send SMS: IP adress and more information that the user entered the wrong data.

averatec said:
private ssh key + port knocking
Click to expand...
Yes ;)
1.jpg
 
As of Debian 8 (jessie), you can install it using:
apt-get install libpam-google-authenticator
 
Szafi said:
Alternative for "google-authenticator" is sending SMS to your telephone number. Message contains a random code to login on your serwer but you pay for each sms. I have SMS solution if password is wrong. Serwer send SMS: IP adress and more information that the user entered the wrong data.


Yes ;)
1.jpg
Click to expand...
what is wrong with private ssh key and port knocking?
 
219 views and only 5 comments? Write if you are using and comment. I'm curious :)
 

Similar threads

222222
Linux How to secure a Linux server
Replies
12
Views
3K
TibiCAM
TibiCAM
Giorox
Naive Dockerized TFS 1.5
Replies
5
Views
1K
OTAmator
O
Back
Top