After adding ssh keys as I try to always do on my systems I went on to installing the Google authenticator module.
Install and setup
construct:~# apt-cache search google-authenticator
libpam-google-authenticator - Two-step verification
construct:~# apt-get install libpam-google-authenticator
then as my user I just run google-authenticator to set it up:
henrik@construct ~ $ google-authenticator
[HUUGE QR CODE HERE REMOVED FOR READABILITY..]
Your new secret key is: REMOVED
Your verification code is 001234
Your emergency scratch codes are:
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
henrik@construct ~ $
I then added the account to my phone by scanning the QR code, but the option to do it manually is also there.
Enable the module
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
While in there I also like to set root logins to no:
(root is disabled by default on the Pi by not having any password set, but this is still something I just want to have there..)
auth required pam_google_authenticator.so
Lastly restart sshd for changes to take effect.
construct:~# service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
Now when I log in from a host that does not have a saved ssh key I get asked for the verification code:
Linux construct 3.6.11+ #456 PREEMPT Mon May 20 17:42:15 BST 2013 armv6l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 5 17:07:05 2013 from mbp.0xdead.se
It’s just that easy to have to worry a little less about your password getting stolen!