Google Authenticator (and implementing it on Linux)

A few weeks ago Google brought their two-factor auth product, Google Authenticator, to the iPhone and Android devices.  (There may be other implementations they released, but those are all I’ve actually touched.)  Their immediate use for it was with your google accounts, specifically Google mail seemed to be their target. The day after it was released, I was lucky enough to have it turned on for my accounts and I’ve been using it since then.

Not that I’m an internet security expert, but it’s seems a pretty straight-forward software token implementation. On Google’s side, to seed the software on your smartphone, it uses a QR code. (I point this out as its one of the few uses of QR codes in the wild that I’ve seen that doesn’t make me want to vomit everywhere. For the record, the only other use of QR codes that I have condoned is @tcar using them to rickroll people.) They also give you a hand full of one time password codes for you to print out to keep in your wallet in case you are without your smartphone.

In practice with Google’s accounts, when you log in, you’re additionally asked for the current code.  At that time, you can choose to have google assume the machine you’re on is good for 30 days.  For a home or work machine that isn’t going anywhere, that’s probably safe, but I find myself not checking that box a lot.

The only downside is that any application you have that interacts with a Google service but can’t do a secondary form of authentication, such as an mail/IMAP client, you’ll need to set up “application-specific passwords.” These are passwords that application alone uses to get to your account that you can revoke at any time. Its not difficult, its just tedious as I ended up needing to create 10 different passwords due to the variety of applications I use that interact with Google.  However, now that they are set up, I don’t have to touch them again unless one of the passwords get compromised.

In any case, if you depend on some google services, and you have a smartphone, I highly recommend looking into this with your account.

After using Google Authenticator for a few days with google, I became aware of their project on google code. Besides having the code for the Android and Blackberry applications, it contains code for a PAM module. That really peaked my interest as I’ve always toyed with the idea of implementing two-factor auth at home and on the server I share with my friends, but there hasn’t really been a conveniently deployable way to do it.

Here’s where the linux part starts

There’s no code release for the PAM module yet, so you’ll need to check out a copy using Mercurial.  Once that’s downloaded, you want to make sure you have your PAM development libraries installed.  I also suggest (as the Google wiki’s page says) having libqrencode installed so the google-authenticator command line setup tool can spit a QR code out at you to more easily activate it in your smartphone.  Once those are there, its a pretty easy compile since the Google folks seem to be developing it on Linux. If you’re on another platform, your milage may vary.  I also see via a comment on the wiki page that someone made a Ubuntu ppa of it, so that might simplify matters as well.

By default, the PAM module is all or nothing, so either all your users need to be set up for two-factor auth or no one can be.  There is a patch that allows you to modify this behavior to ignore two-factor auth if it hasn’t been set up or not, which would work for a good transitory period. I haven’t implemented this yet, as its from a recent comment on the wiki page, but when I go to implement this on my shared server I’ll be making use of it.

On my ubuntu server, once the PAM module was installed, I just added the following line to /etc/pam.d/sshd after the existing “@include common-auth“:

auth required pam_google_authenticator.so

Once that was added, I ran the google-authenticator command line tool to create the shared secret and control file for the two-factor authentication.  Once you run it you should see something like this:

Once you say yes to that question and capture the QR code with Google Authenticator on your smartphone, you’re bleepin’ golden.  (Yes, I dummied up an account to generate that, took the screenshot, and then erased that account.  I’m not completely dumb.)

One thing you might need to do is edit your sshd configuration to make sure that ChallengeResponseAuthentication is turned on.  This allows ssh to interactively do extra challenges as required by PAM.  By default this is off in Fedora and Ubuntu.

10 thoughts on “Google Authenticator (and implementing it on Linux)”

  1. Weird. On my ubuntu machine it didn’t work unless I put the auth reuqired pam_google_authenticator.so line above @include common-auth

  2. An alternate idea to the “all or nothing” problem: use PAM to ignore the authenticator if you’re not in a certain group. The following configuration checks if the user is in group “secure,” and if they are, the authenticator is used. Otherwise, it is ignored. (The logic is somewhat backwards here, but it works.)

    auth [default=ignore success=1] pam_succeed_if.so quiet user notingroup secure
    auth required pam_google_authenticator.so

  3. Doug, that’s a really good idea. The only thing i don’t like about it is that it requires admin intervention to do that. In some situations that may be desirable. For my needs, the non-admin-attention version is better.

  4. I am fairly naive on the PAM module. Does this authentication set up only for users of the system by default?? Is there an easy way to enable this for users of a web application?? Kinda like the way google implemented for gmail???

  5. suman,

    This module seems to be geared for interactive text based use (ssh, telnet, etc.) I don’t think it’ll work for a web application. Google has been following an open standard, so I expect to see some libraries to help implement this for apache and/or various web frameworks. But this doesn’t seem to be it.

  6. An alternative approach is not to use PAM at all, which is what we did for our open-source duo_unix package, (which supports two-factor auth via one-time passcodes, but also phone callback, SMS, and smartphone push). This allows a user to enable two-factor auth without admin intervention – and also protect SSH pubkey login, which is mutually exclusive with PAM currently in OpenSSH.

    See our blog post about our open-source release here: http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/

  7. Thanks for the mention on the patch – solved an issue I was having on how to get users to be able to run the setup on their own.

Leave a Reply to dbt Cancel reply