I wrote a quick article on how to remove the Google Authenticator function of your server when you’re using it logging in through SSH.
Tag Archives: authenticator
Howto remove Google authenticator from SSH logins
I used the Google authenticator for quite some time now and i must say i like it. As showed in my earlier article on how to install the Google authenticator app it is pretty straightforward to install the second authentication factor.
But is it also easy to uninstall the feature? Yes it is.
Step 1:
Make sure -in case something goes wrong- that you (temporarily) have alternative ways to access your server. Think of console access or even (watch carefully) telnet access.
Step 2:
Disable ChallengeResponseAuthentication within your SSH configuration:
user@server:~$ vi /etc/ssh/sshd_config
Change the value from yes to no
ChallengeResponseAuthentication no
Save the changes.
Step 3:
Change your /etc/pam.d/ssh configuration:
user@server:~$ vi /etc/pam.d/sshd
Remove or comment-out the following line:
auth required pam_google_authenticator.so
Save the changes.
Step 4:
Remove the .google_authenticator file from each of the home directories of users that you used the Google authenticator app for.
user@server:~$ rm .google_authenticator
Step 5:
Restart the SSH daemon.
user@server:~$ sudo /etc/ssh/ssh restart
That should be it!
Howto: Two-Factor authentication on Ubuntu 12.04 LTS
For a more secure terminal (SSH) environment, you can add a second factor to authenticate a user. I personally run Ubuntu and i implemented the Google Authenticator on my Ubuntu system using the Google Authenticator Library of Google in combination with my iPhone with the Google Authenticator App.
See the following howto:
Two-Factor authentication on Ubuntu 12.04 LTS using Google Authenticator
For a more secure terminal (SSH) environment, you can add a second factor to authenticate a user. I personally run Ubuntu and i implemented the Google Authenticator on my Ubuntu system using the Authenticator Library of Google in combination with my iPhone with the Google Authenticator App. Implementation is quite simple, simply follow the instructions down below and make sure that you store the generated emergency keys somewhere safe!!
1. Login to your system running Ubuntu as the user you want to authenticate with a second factor. Make sure this user has sufficient sudo rights.
2. Install the Google Authenticator library
user@server:~$ sudo apt-get install libpam-google-authenticator
3. After installing run the Google Authentication binary
user@server:~$ google-authenticator
A QR-code is generated together with a secret key ad several emergency keys. Make sure you store these keys somewhere safe!!
Your new secret key is: HLWRXFRGYHUIJNB Your verification code is 871635 Your emergency scratch codes are: 19818226 22287050 91334077 95162257 36657802
4. Scan the presented QR-code with your Google Authenticator app (see instructions on your smartphone)
5. Answer the following questions the way you prefer it for your system
Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
6. Edit /etc/pam.d/sshd to activate the Google Authenticator while logging in through SSH
user@server:~$ vi /etc/pam.d/sshd
7. Add the following line at the bottom of the file and safe the file
auth required pam_google_authenticator.so
8. Edit /etc/ssh/sshd_config and enable the ChallengeResponseAuthentication directive
user@server:~$ vi /etc/ssh/sshd_config
Change the following directive from ‘no’ to ‘yes’ and safe the file
ChallengeResponseAuthentication yes
9. Restart the SSH daemon
user@server:~$ sudo /etc/ssh/ssh restart
Afther giving in your username/password your system will now ask you for your Google Authenticator token!